Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Delivery 9073782912,pdf.exe

Overview

General Information

Sample Name:Delivery 9073782912,pdf.exe
Analysis ID:356845
MD5:8b22f061055264b77361c6fe7941e25f
SHA1:8251185b5bc6cb83e99139a7e480541a0363bc43
SHA256:7fbc2450a78cb9a8b033dd654c2b2378a7e9f3ea7f89bd0db57f907685a2c4cf
Tags:DHLexeSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@3ptechnik.xyzgF*BS#rb4smtp.3ptechnik.xyz"}}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
        00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880JoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.Delivery 9073782912,pdf.exe.400000.0.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              8.2.Delivery 9073782912,pdf.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@3ptechnik.xyzgF*BS#rb4smtp.3ptechnik.xyz"}}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Delivery 9073782912,pdf.exeReversingLabs: Detection: 27%
                      Machine Learning detection for sampleShow sources
                      Source: Delivery 9073782912,pdf.exeJoe Sandbox ML: detected
                      Source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: 0.2.Delivery 9073782912,pdf.exe.e10000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.4:49746 version: TLS 1.0
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: Joe Sandbox ViewIP Address: 162.88.193.70 162.88.193.70
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.4:49746 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB&lTN
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org4Sk
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8Sk
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comM
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comh
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comscr
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655756100.000000000898E000.00000004.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655604692.000000000898E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655879593.0000000008958000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655913964.000000000898E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.660621776.000000000898B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersS
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.656437070.000000000898E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersX
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.653160870.000000000898D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cndd
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTF
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krs-e
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652165341.0000000008952000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnm
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38x
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4Sk
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000008.00000002.912571847.0000000002CD2000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746

                      System Summary:

                      barindex
                      PE file contains section with special charsShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name: **!@q|@
                      PE file has nameless sectionsShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A0500
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A4500
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A2C28
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A3628
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A24D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A30C0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A5408
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A1980
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_03312240
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331AB4C
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_03312230
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331A0B0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331A0A0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_033180E4
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331C0D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_08434944
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_08434864
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0843EC28
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0843EC38
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010381B0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01030580
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_0103B2B0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01037B89
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01034630
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01030BE0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010310F8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01031612
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010359E0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D0EF8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D37F0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3FF0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D47F0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D4FF0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D1C50
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DF4D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D0040
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D08A8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DE960
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D0E99
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D4790
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D4F90
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3F92
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D37E0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DF478
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3465
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D0006
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D7932
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F0040
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F40D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F0828
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F48C0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F2970
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F17F8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F1010
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F3158
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F1FE0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F3940
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F07C8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F0006
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F4128
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F0FB0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F48B1
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F290F
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F1798
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F30F8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F1F81
                      Source: Delivery 9073782912,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000000.645678736.0000000000E97000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.737404793.00000000033B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.737404793.00000000033B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename45ZFWF8N.exe4 vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910914612.0000000000B56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910706029.0000000000466000.00000040.00000001.sdmpBinary or memory string: OriginalFilename45ZFWF8N.exe4 vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910852766.00000000007A7000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exeBinary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Delivery 9073782912,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Delivery 9073782912,pdf.exeStatic PE information: Section: **!@q|@ ZLIB complexity 1.00040635487
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Delivery 9073782912,pdf.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Delivery 9073782912,pdf.exeReversingLabs: Detection: 27%
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                      Source: unknownProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe 'C:\Users\user\Desktop\Delivery 9073782912,pdf.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path}
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path}
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Delivery 9073782912,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Delivery 9073782912,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name: **!@q|@
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_03317C98 push esp; ret
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_084325E0 pushad ; ret
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DBC05 push 8B000003h; iretd
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DB507 push es; iretd
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DB0D0 pushfd ; iretd
                      Source: initial sampleStatic PE information: section name: **!@q|@ entropy: 7.99766880008
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.94676615922
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3465 rdtsc
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7028Thread sleep time: -55000s >= -30000s
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7016Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7028Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information queried: ProcessInformation

                      Anti Debugging:

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A1750 CheckRemoteDebuggerPresent,
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3465 rdtsc
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D1C50 LdrInitializeThunk,KiUserExceptionDispatcher,
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeMemory written: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path}
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection112Masquerading1OS Credential Dumping1Security Software Discovery12Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing4Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Delivery 9073782912,pdf.exe28%ReversingLabsWin32.Trojan.AgentTesla
                      Delivery 9073782912,pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      8.2.Delivery 9073782912,pdf.exe.400000.0.unpack100%AviraTR/Spy.GenDownload File
                      0.2.Delivery 9073782912,pdf.exe.e10000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      freegeoip.app0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.tiro.comnm0%Avira URL Cloudsafe
                      http://fontfabrik.comM0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.sandoll.co.krs-e0%Avira URL Cloudsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://checkip.dyndns.org/0%Avira URL Cloudsafe
                      http://www.carterandcone.comscr0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://checkip.dyndns.com0%Avira URL Cloudsafe
                      http://fontfabrik.comh0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      http://checkip.dyndns.orgD8Sk0%Avira URL Cloudsafe
                      https://freegeoip.app4Sk0%Avira URL Cloudsafe
                      http://checkip.dyndns.org0%Avira URL Cloudsafe
                      http://www.sandoll.co.krN.TTF0%Avira URL Cloudsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      http://www.founder.com.cn/cndd0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://checkip.dyndns.org/HB&lTN0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      http://checkip.dyndns.org4Sk0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      freegeoip.app
                      		104.21.19.200
                      		truefalseunknown
                      checkip.dyndns.com
                      		162.88.193.70
                      		truefalse
                        		unknown
                        checkip.dyndns.org
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://checkip.dyndns.org/false
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.fontbureau.com/designersGDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                		high
                                https://freegeoip.appDelivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersXDelivery 9073782912,pdf.exe, 00000000.00000003.656437070.000000000898E000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655756100.000000000898E000.00000004.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655604692.000000000898E000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krDelivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comDelivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comnmDelivery 9073782912,pdf.exe, 00000000.00000003.652165341.0000000008952000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://fontfabrik.comMDelivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designersSDelivery 9073782912,pdf.exe, 00000000.00000003.660621776.000000000898B000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sajatypeworks.comDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/cTheDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sandoll.co.krs-eDelivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://fontfabrik.comDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comscrDelivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fonts.comDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krDelivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://checkip.dyndns.comDelivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://fontfabrik.comhDelivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDelivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sakkal.comDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://freegeoip.appDelivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://freegeoip.app/xml/Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.apache.org/licenses/LICENSE-2.0Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                                		high
                                                http://checkip.dyndns.orgD8SkDelivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://freegeoip.app4SkDelivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://checkip.dyndns.orgDelivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.sandoll.co.krN.TTFDelivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://freegeoip.app/xml/84.17.52.38xDelivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://freegeoip.app/xml/LoadCountryNameClipboardDelivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cnddDelivery 9073782912,pdf.exe, 00000000.00000003.653160870.000000000898D000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.carterandcone.comlDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cnDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-user.htmlDelivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655879593.0000000008958000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.org/HB&lTNDelivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655913964.000000000898E000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://freegeoip.app/xml/84.17.52.38Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://checkip.dyndns.org4SkDelivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      162.88.193.70
                                                      		unknownUnited States
                                                      		33517DYNDNSUSfalse
                                                      104.21.19.200
                                                      		unknownUnited States
                                                      		13335CLOUDFLARENETUSfalse

                                                      General Information

                                                      Joe Sandbox Version:31.0.0 Emerald
                                                      Analysis ID:356845
                                                      Start date:23.02.2021
                                                      Start time:17:45:36
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 8m 17s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:Delivery 9073782912,pdf.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:16
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                                                      EGA Information:Failed
                                                      HDC Information:
                                                      • Successful, ratio: 0.8% (good quality ratio 0.2%)
                                                      • Quality average: 18.8%
                                                      • Quality standard deviation: 31.6%
                                                      HCA Information:
                                                      • Successful, ratio: 95%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .exe
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                      • Excluded IPs from analysis (whitelisted): 13.64.90.137, 204.79.197.200, 13.107.21.200, 104.42.151.234, 23.211.6.115, 13.88.21.125, 104.43.139.144, 51.104.139.180, 2.20.142.209, 2.20.142.210, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 51.11.168.160
                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      17:46:33API Interceptor1x Sleep call for process: Delivery 9073782912,pdf.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      162.88.193.70P00760000.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Order.docGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      purchase order 1.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      telex transfer.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      GPP.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      #11032019 de investigaci#U00f3n de #U00f3rdenes,pdf.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Neue Bestellung_WJO-001, pdf.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      swift payment.docGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Order.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      Order.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      telex transfer.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      ORDEN DE COMPRA.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      banka bilgisi.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      XXXXXXXXXXXXXX.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/
                                                      170221.exeGet hashmaliciousBrowse
                                                      • checkip.dyndns.org/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      freegeoip.appPO202100046.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      SSGLPOJ6212202.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      P00760000.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Order.docGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      QUOTE.docGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      dot crypted.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      v2.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      checkip.dyndns.comPO202100046.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      SSGLPOJ6212202.exeGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      P00760000.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      Order.docGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      QUOTE.docGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      dot crypted.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      v2.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                      • 216.146.43.71
                                                      Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                      • 131.186.161.70
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      CLOUDFLARENETUSSecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeGet hashmaliciousBrowse
                                                      • 172.67.199.58
                                                      PO202100046.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exeGet hashmaliciousBrowse
                                                      • 172.67.213.210
                                                      SSGLPOJ6212202.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      SecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeGet hashmaliciousBrowse
                                                      • 172.67.199.58
                                                      SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                                                      • 104.23.98.190
                                                      1vuet1S3tI.exeGet hashmaliciousBrowse
                                                      • 172.67.199.58
                                                      P00760000.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Order.docGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      QUOTE.docGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      2070121_SN-WS.exeGet hashmaliciousBrowse
                                                      • 104.21.71.230
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      payment_advice.docGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                      • 172.67.188.154
                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      dot crypted.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      New Order 2300030317388 InterMetro.exeGet hashmaliciousBrowse
                                                      • 172.67.172.17
                                                      DYNDNSUSPO202100046.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      SSGLPOJ6212202.exeGet hashmaliciousBrowse
                                                      • 216.146.43.71
                                                      ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      P00760000.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      Order.docGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      QUOTE.docGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 216.146.43.70
                                                      IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      dot crypted.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      v2.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                      • 216.146.43.71
                                                      Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                      • 162.88.193.70
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70
                                                      (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                      • 131.186.161.70
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 131.186.113.70

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      54328bd36c14bd82ddaa0c04b25ed9adPO202100046.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      SSGLPOJ6212202.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      ST_PLC URGENT ORDER 0223308737,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      P00760000.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      dot crypted.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      v2.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      purchase order.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      9073782912,pdf.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200
                                                      SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                      • 104.21.19.200

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Delivery 9073782912,pdf.exe.log
                                                      Process:C:\Users\user\Desktop\Delivery 9073782912,pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.355304211458859
                                                      Encrypted:false
                                                      SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                                      MD5:B666A4404B132B2BF6C04FBF848EB948
                                                      SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                                      SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                                      SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                                      Malicious:true
                                                      Reputation:moderate, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.542462273711499
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                      • Win32 Executable (generic) a (10002005/4) 49.96%
                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:Delivery 9073782912,pdf.exe
                                                      File size:635392
                                                      MD5:8b22f061055264b77361c6fe7941e25f
                                                      SHA1:8251185b5bc6cb83e99139a7e480541a0363bc43
                                                      SHA256:7fbc2450a78cb9a8b033dd654c2b2378a7e9f3ea7f89bd0db57f907685a2c4cf
                                                      SHA512:ed21a8a43265cdd8d0bcb72cb02b54e13542e26f81261996c837ca092a18ed89b5394cc674e099008d06f25357c6ac61519c135216b95b4ef24971d26220bc33
                                                      SSDEEP:12288:pReF1EYoHSRA26BqSSF2EuYiNnZUkRobfzl6sI/jklzAKp:pUo3ZCbw/jklDp
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;.5`..............0..j...D....... ...`... ....@.. .......................@............@................................

                                                      File Icon

                                                      Icon Hash:8604a4acbcace4f8

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4a200a
                                                      Entrypoint Section:
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x6035023B [Tue Feb 23 13:25:15 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [004A2000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x169480x53.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x31708.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0xa20000x8
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x160000x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      **!@q|@0x20000x129680x12a00False1.00040635487data7.99766880008IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                      .text0x160000x566380x56800False0.934793284863data7.94676615922IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x6e0000x317080x31800False0.430836687184data5.93363370804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xa00000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                      0xa20000x100x200False0.044921875data0.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x6e2b00x96b5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                      RT_ICON0x779680x10828dBase III DBT, version number 0, next free block index 40
                                                      RT_ICON0x881900x94a8data
                                                      RT_ICON0x916380x5488data
                                                      RT_ICON0x96ac00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                      RT_ICON0x9ace80x25a8data
                                                      RT_ICON0x9d2900x10a8data
                                                      RT_ICON0x9e3380x988data
                                                      RT_ICON0x9ecc00x468GLS_BINARY_LSB_FIRST
                                                      RT_GROUP_ICON0x9f1280x84data
                                                      RT_VERSION0x9f1ac0x36cdata
                                                      RT_MANIFEST0x9f5180x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright Neudesic 2017
                                                      Assembly Version1.0.0.0
                                                      InternalNameihwC.exe
                                                      FileVersion1.0.0.0
                                                      CompanyNameNeudesic
                                                      LegalTrademarks
                                                      Comments
                                                      ProductNameVectorBasedDrawing
                                                      ProductVersion1.0.0.0
                                                      FileDescriptionVectorBasedDrawing
                                                      OriginalFilenameihwC.exe

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 23, 2021 17:47:10.385010958 CET4974280192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:10.514962912 CET8049742162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:10.515105963 CET4974280192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:10.515765905 CET4974280192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:10.647022009 CET8049742162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:10.647624016 CET8049742162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:10.647641897 CET8049742162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:10.648061991 CET4974280192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:10.650599003 CET4974280192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:10.780585051 CET8049742162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:11.165839911 CET4974580192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:11.301563025 CET8049745162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:11.301687002 CET4974580192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:11.302320004 CET4974580192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:11.436569929 CET8049745162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:11.437163115 CET8049745162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:11.437191963 CET8049745162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:11.437302113 CET4974580192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:11.437710047 CET4974580192.168.2.4162.88.193.70
                                                      Feb 23, 2021 17:47:11.570492029 CET8049745162.88.193.70192.168.2.4
                                                      Feb 23, 2021 17:47:15.477514982 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:15.518438101 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:15.518560886 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:15.663821936 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:15.704763889 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:15.707940102 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:15.707974911 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:15.708055973 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:15.720120907 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:15.761037111 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:15.761157036 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:15.894706964 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:16.124634981 CET49746443192.168.2.4104.21.19.200
                                                      Feb 23, 2021 17:47:16.165818930 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:16.176373959 CET44349746104.21.19.200192.168.2.4
                                                      Feb 23, 2021 17:47:16.300379038 CET49746443192.168.2.4104.21.19.200

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Feb 23, 2021 17:46:17.454483032 CET5372353192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:17.503448009 CET53537238.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:18.465976954 CET6464653192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:18.514651060 CET53646468.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:18.596849918 CET6529853192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:18.645673037 CET53652988.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:19.059184074 CET5912353192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:19.117706060 CET53591238.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:19.822237968 CET5453153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:19.873717070 CET53545318.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:21.559057951 CET4971453192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:21.609155893 CET53497148.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:23.021130085 CET5802853192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:23.069884062 CET53580288.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:24.302784920 CET5309753192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:24.362678051 CET53530978.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:25.923446894 CET4925753192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:25.972177029 CET53492578.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:27.101850986 CET6238953192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:27.153682947 CET53623898.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:28.352952957 CET4991053192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:28.401815891 CET53499108.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:29.705750942 CET5585453192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:29.770699978 CET53558548.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:31.847505093 CET6454953192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:31.900166035 CET53645498.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:33.009524107 CET6315353192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:33.058171988 CET53631538.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:35.175245047 CET5299153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:35.238220930 CET53529918.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:36.564374924 CET5370053192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:36.616409063 CET53537008.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:37.795241117 CET5172653192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:37.850491047 CET53517268.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:42.885940075 CET5679453192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:42.943049908 CET53567948.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:44.089695930 CET5653453192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:44.147047997 CET53565348.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:46.165170908 CET5662753192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:46.216825008 CET53566278.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:47.319994926 CET5662153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:47.368875980 CET53566218.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:48.725441933 CET6311653192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:48.774477959 CET53631168.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:46:49.850008965 CET6407853192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:46:49.901560068 CET53640788.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:09.970807076 CET6480153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:10.019479990 CET53648018.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:10.044681072 CET6172153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:10.093497038 CET53617218.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:10.784713984 CET5125553192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:10.846333027 CET53512558.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:10.992858887 CET6152253192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:11.052777052 CET53615228.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:15.414294004 CET5233753192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:15.474364996 CET53523378.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:16.051832914 CET5504653192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:16.128154039 CET53550468.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:17.384895086 CET4961253192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:17.445041895 CET53496128.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:19.945775986 CET4928553192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:20.038868904 CET53492858.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:20.514960051 CET5060153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:20.572122097 CET53506018.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:21.488823891 CET6087553192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:21.549582005 CET53608758.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:22.153453112 CET5644853192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:22.215020895 CET53564488.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:22.310942888 CET5917253192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:22.377717972 CET53591728.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:22.887278080 CET6242053192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:22.949532986 CET53624208.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:23.929455042 CET6057953192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:23.988411903 CET53605798.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:25.474884987 CET5018353192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:25.532162905 CET53501838.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:26.061750889 CET6153153192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:26.118860960 CET53615318.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:47:31.777206898 CET4922853192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:47:31.835905075 CET53492288.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:48:01.090235949 CET5979453192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:48:01.138968945 CET53597948.8.8.8192.168.2.4
                                                      Feb 23, 2021 17:48:02.770982981 CET5591653192.168.2.48.8.8.8
                                                      Feb 23, 2021 17:48:02.842902899 CET53559168.8.8.8192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Feb 23, 2021 17:47:09.970807076 CET192.168.2.48.8.8.80x54f0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.044681072 CET192.168.2.48.8.8.80xd247Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:15.414294004 CET192.168.2.48.8.8.80xb3b6Standard query (0)freegeoip.appA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Feb 23, 2021 17:47:10.019479990 CET8.8.8.8192.168.2.40x54f0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.019479990 CET8.8.8.8192.168.2.40x54f0No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.019479990 CET8.8.8.8192.168.2.40x54f0No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.019479990 CET8.8.8.8192.168.2.40x54f0No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.019479990 CET8.8.8.8192.168.2.40x54f0No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.019479990 CET8.8.8.8192.168.2.40x54f0No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.093497038 CET8.8.8.8192.168.2.40xd247No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.093497038 CET8.8.8.8192.168.2.40xd247No error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.093497038 CET8.8.8.8192.168.2.40xd247No error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.093497038 CET8.8.8.8192.168.2.40xd247No error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.093497038 CET8.8.8.8192.168.2.40xd247No error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:10.093497038 CET8.8.8.8192.168.2.40xd247No error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:15.474364996 CET8.8.8.8192.168.2.40xb3b6No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                      Feb 23, 2021 17:47:15.474364996 CET8.8.8.8192.168.2.40xb3b6No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • checkip.dyndns.org

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.449742162.88.193.7080C:\Users\user\Desktop\Delivery 9073782912,pdf.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Feb 23, 2021 17:47:10.515765905 CET1400OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                      Host: checkip.dyndns.org
                                                      Connection: Keep-Alive
                                                      Feb 23, 2021 17:47:10.647624016 CET1400INHTTP/1.1 200 OK
                                                      Content-Type: text/html
                                                      Server: DynDNS-CheckIP/1.0.1
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Pragma: no-cache
                                                      Content-Length: 103
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.38</body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      1192.168.2.449745162.88.193.7080C:\Users\user\Desktop\Delivery 9073782912,pdf.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Feb 23, 2021 17:47:11.302320004 CET1470OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                      Host: checkip.dyndns.org
                                                      Feb 23, 2021 17:47:11.437163115 CET1471INHTTP/1.1 200 OK
                                                      Content-Type: text/html
                                                      Server: DynDNS-CheckIP/1.0.1
                                                      Connection: close
                                                      Cache-Control: no-cache
                                                      Pragma: no-cache
                                                      Content-Length: 103
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.38</body></html>


                                                      HTTPS Packets

                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                      Feb 23, 2021 17:47:15.707974911 CET104.21.19.200443192.168.2.449746CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                      CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: Delivery 9073782912,pdf.exe PID: 6980 Parent PID: 5960

                                                      General

                                                      Start time:17:46:24
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\Desktop\Delivery 9073782912,pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\Delivery 9073782912,pdf.exe'
                                                      Imagebase:0x7ffabd480000
                                                      File size:635392 bytes
                                                      MD5 hash:8B22F061055264B77361C6FE7941E25F
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Analysis Process: Delivery 9073782912,pdf.exe PID: 6880 Parent PID: 6980

                                                      General

                                                      Start time:17:47:05
                                                      Start date:23/02/2021
                                                      Path:C:\Users\user\Desktop\Delivery 9073782912,pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:{path}
                                                      Imagebase:0x7ffabd480000
                                                      File size:635392 bytes
                                                      MD5 hash:8B22F061055264B77361C6FE7941E25F
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >