Loading ...

Play interactive tourEdit tour

Analysis Report Delivery 9073782912,pdf.exe

Overview

General Information

Sample Name:Delivery 9073782912,pdf.exe
Analysis ID:356845
MD5:8b22f061055264b77361c6fe7941e25f
SHA1:8251185b5bc6cb83e99139a7e480541a0363bc43
SHA256:7fbc2450a78cb9a8b033dd654c2b2378a7e9f3ea7f89bd0db57f907685a2c4cf
Tags:DHLexeSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@3ptechnik.xyzgF*BS#rb4smtp.3ptechnik.xyz"}}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
        00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880JoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.Delivery 9073782912,pdf.exe.400000.0.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              8.2.Delivery 9073782912,pdf.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@3ptechnik.xyzgF*BS#rb4smtp.3ptechnik.xyz"}}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Delivery 9073782912,pdf.exeReversingLabs: Detection: 27%
                      Machine Learning detection for sampleShow sources
                      Source: Delivery 9073782912,pdf.exeJoe Sandbox ML: detected
                      Source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: 0.2.Delivery 9073782912,pdf.exe.e10000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.4:49746 version: TLS 1.0
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: Joe Sandbox ViewIP Address: 162.88.193.70 162.88.193.70
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.4:49746 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB&lTN
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org4Sk
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8Sk
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comM
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.651697965.000000000896B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comh
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.654071949.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comscr
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655756100.000000000898E000.00000004.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655604692.000000000898E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655879593.0000000008958000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000000.00000003.655913964.000000000898E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.660621776.000000000898B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersS
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.656437070.000000000898E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersX
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.653160870.000000000898D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cndd
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTF
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652561133.0000000008956000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krs-e
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000003.652165341.0000000008952000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnm
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.746308507.0000000008B10000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38x
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912423524.0000000002BF1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4Sk
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmp, Delivery 9073782912,pdf.exe, 00000008.00000002.912571847.0000000002CD2000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.912516195.0000000002CA4000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746

                      System Summary:

                      barindex
                      PE file contains section with special charsShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name: **!@q|@
                      PE file has nameless sectionsShow sources
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A0500
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A4500
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A2C28
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A3628
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A24D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A30C0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A5408
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A1980
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_03312240
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331AB4C
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_03312230
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331A0B0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331A0A0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_033180E4
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0331C0D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_08434944
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_08434864
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0843EC28
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_0843EC38
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010381B0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01030580
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_0103B2B0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01037B89
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01034630
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01030BE0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010310F8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_01031612
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_010359E0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D0EF8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D37F0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3FF0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D47F0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D4FF0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D1C50
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DF4D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D0040
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D08A8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DE960
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D0E99
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D4790
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D4F90
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3F92
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D37E0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DF478
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3465
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D0006
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D7932
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F0040
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F40D8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F0828
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F48C0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F2970
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F17F8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F1010
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F3158
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F1FE0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F3940
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F07C8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F0006
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F4128
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F0FB0
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F48B1
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F290F
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F1798
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F30F8
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061F1F81
                      Source: Delivery 9073782912,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000000.645678736.0000000000E97000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.737404793.00000000033B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000000.00000002.737404793.00000000033B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename45ZFWF8N.exe4 vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910914612.0000000000B56000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910706029.0000000000466000.00000040.00000001.sdmpBinary or memory string: OriginalFilename45ZFWF8N.exe4 vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.910852766.00000000007A7000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exeBinary or memory string: OriginalFilename vs Delivery 9073782912,pdf.exe
                      Source: Delivery 9073782912,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Delivery 9073782912,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Delivery 9073782912,pdf.exeStatic PE information: Section: **!@q|@ ZLIB complexity 1.00040635487
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Delivery 9073782912,pdf.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Delivery 9073782912,pdf.exeReversingLabs: Detection: 27%
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                      Source: Delivery 9073782912,pdf.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
                      Source: unknownProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe 'C:\Users\user\Desktop\Delivery 9073782912,pdf.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path}
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path}
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Delivery 9073782912,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Delivery 9073782912,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name: **!@q|@
                      Source: Delivery 9073782912,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_03317C98 push esp; ret
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_084325E0 pushad ; ret
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DBC05 push 8B000003h; iretd
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DB507 push es; iretd
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061DB0D0 pushfd ; iretd
                      Source: initial sampleStatic PE information: section name: **!@q|@ entropy: 7.99766880008
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.94676615922
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000008.00000002.910649782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.741510466.0000000004E73000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6880, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Delivery 9073782912,pdf.exe PID: 6980, type: MEMORY
                      Source: Yara matchFile source: 8.2.Delivery 9073782912,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.4f22e08.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Delivery 9073782912,pdf.exe.50dbcb8.4.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3465 rdtsc
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7028Thread sleep time: -55000s >= -30000s
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7016Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe TID: 7028Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess information queried: ProcessInformation

                      Anti Debugging:

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 0_2_031A1750 CheckRemoteDebuggerPresent,
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D3465 rdtsc
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeCode function: 8_2_061D1C50 LdrInitializeThunk,KiUserExceptionDispatcher,
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeMemory written: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeProcess created: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe {path}
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Delivery 9073782912,pdf.exe, 00000008.00000002.911703112.00000000014E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Delivery 9073782912,pdf.exe