Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report shipping documents pdf,.exe

Overview

General Information

Sample Name:shipping documents pdf,.exe
Analysis ID:452717
MD5:f0d2f3d209b220c52f1453c280574138
SHA1:563ea7d4e0df7d834a498d662340d528d5dff3d1
SHA256:16ca9330a520fa98fb78ba1fb3aef9e49ef6e0a9df70a696a239e9f4925d2714
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • shipping documents pdf,.exe (PID: 6696 cmdline: 'C:\Users\user\Desktop\shipping documents pdf,.exe' MD5: F0D2F3D209B220C52F1453C280574138)
    • schtasks.exe (PID: 6100 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GynJIbTtnNRSp' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA0E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • shipping documents pdf,.exe (PID: 5704 cmdline: C:\Users\user\Desktop\shipping documents pdf,.exe MD5: F0D2F3D209B220C52F1453C280574138)
    • shipping documents pdf,.exe (PID: 4620 cmdline: C:\Users\user\Desktop\shipping documents pdf,.exe MD5: F0D2F3D209B220C52F1453C280574138)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "imam@esquiresweaters.com", "Password": "Esquire@#2078", "Host": "mail.esquiresweaters.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000009.00000002.912756589.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.912756589.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Process Memory Space: shipping documents pdf,.exe PID: 4620JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.shipping documents pdf,.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              9.2.shipping documents pdf,.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 9.2.shipping documents pdf,.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "imam@esquiresweaters.com", "Password": "Esquire@#2078", "Host": "mail.esquiresweaters.com"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\GynJIbTtnNRSp.exeReversingLabs: Detection: 15%
                Multi AV Scanner detection for submitted fileShow sources
                Source: shipping documents pdf,.exeReversingLabs: Detection: 15%
                Source: 9.2.shipping documents pdf,.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: shipping documents pdf,.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: shipping documents pdf,.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: shipping documents pdf,.exe, 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: shipping documents pdf,.exe, 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: shipping documents pdf,.exe, 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmpString found in binary or memory: http://dOXutE.com
                Source: shipping documents pdf,.exe, 00000000.00000003.652756374.000000000180D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: shipping documents pdf,.exe, 00000009.00000002.914460740.0000000002DCA000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                Source: shipping documents pdf,.exe, 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                Source: shipping documents pdf,.exe, 00000009.00000002.912756589.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: shipping documents pdf,.exe, 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: shipping documents pdf,.exe
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeCode function: 8_2_001E2D818_2_001E2D81
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeCode function: 9_2_008A2D819_2_008A2D81
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeCode function: 9_2_010A61189_2_010A6118
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeCode function: 9_2_010A68509_2_010A6850
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeCode function: 9_2_010A5AE19_2_010A5AE1
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeCode function: 9_2_02AC47A09_2_02AC47A0
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeCode function: 9_2_02AC47309_2_02AC4730
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeCode function: 9_2_02ACD6619_2_02ACD661
                Source: shipping documents pdf,.exe, 00000000.00000000.648801048.0000000000D98000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAsyncLocalValueChangedAr.exeD vs shipping documents pdf,.exe
                Source: shipping documents pdf,.exe, 00000008.00000000.706887120.00000000002A8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAsyncLocalValueChangedAr.exeD vs shipping documents pdf,.exe
                Source: shipping documents pdf,.exe, 00000009.00000000.707948127.0000000000968000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAsyncLocalValueChangedAr.exeD vs shipping documents pdf,.exe
                Source: shipping documents pdf,.exe, 00000009.00000002.915752711.0000000005D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs shipping documents pdf,.exe
                Source: shipping documents pdf,.exe, 00000009.00000002.912756589.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameExCTClVOuPTaoSooreHcMm.exe4 vs shipping documents pdf,.exe
                Source: shipping documents pdf,.exeBinary or memory string: OriginalFilenameAsyncLocalValueChangedAr.exeD vs shipping documents pdf,.exe
                Source: shipping documents pdf,.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: shipping documents pdf,.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: GynJIbTtnNRSp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@0/0
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeFile created: C:\Users\user\AppData\Roaming\GynJIbTtnNRSp.exeJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeMutant created: \Sessions\1\BaseNamedObjects\qREFzwLnhHPjsoTHeFkBp
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:740:120:WilError_01
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBA0E.tmpJump to behavior
                Source: shipping documents pdf,.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: shipping documents pdf,.exe, 00000000.00000000.648700203.0000000000CD2000.00000002.00020000.sdmp, shipping documents pdf,.exe, 00000008.00000002.707041635.00000000001E2000.00000002.00020000.sdmp, shipping documents pdf,.exe, 00000009.00000002.912811824.00000000008A2000.00000002.00020000.sdmpBinary or memory string: SELECT TOP 1 * FROM UPLOADDATA WHERE STATUS = 0 AND SENTDATE <= GETDATE() ORDER BY UPLOADDATEAData is not available, waiting..?Not in working time, sleeping..iThread is stopping, waiting all workThread to stop..-All workThread stopped;Exception on [internalProses]%[internalProses]:
                Source: shipping documents pdf,.exeReversingLabs: Detection: 15%
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeFile read: C:\Users\user\Desktop\shipping documents pdf,.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\shipping documents pdf,.exe 'C:\Users\user\Desktop\shipping documents pdf,.exe'
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GynJIbTtnNRSp' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA0E.tmp'
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess created: C:\Users\user\Desktop\shipping documents pdf,.exe C:\Users\user\Desktop\shipping documents pdf,.exe
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess created: C:\Users\user\Desktop\shipping documents pdf,.exe C:\Users\user\Desktop\shipping documents pdf,.exe
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GynJIbTtnNRSp' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA0E.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess created: C:\Users\user\Desktop\shipping documents pdf,.exe C:\Users\user\Desktop\shipping documents pdf,.exeJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess created: C:\Users\user\Desktop\shipping documents pdf,.exe C:\Users\user\Desktop\shipping documents pdf,.exeJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: shipping documents pdf,.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: shipping documents pdf,.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeCode function: 9_2_010AB537 push edi; retn 0000h9_2_010AB539
                Source: initial sampleStatic PE information: section name: .text entropy: 7.70350077702
                Source: initial sampleStatic PE information: section name: .text entropy: 7.70350077702
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeFile created: C:\Users\user\AppData\Roaming\GynJIbTtnNRSp.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GynJIbTtnNRSp' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA0E.tmp'
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeWindow / User API: threadDelayed 3005Jump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeWindow / User API: threadDelayed 6790Jump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exe TID: 6700Thread sleep time: -50287s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exe TID: 6728Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exe TID: 6356Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exe TID: 6540Thread sleep count: 3005 > 30Jump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exe TID: 6540Thread sleep count: 6790 > 30Jump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeThread delayed: delay time: 50287Jump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: shipping documents pdf,.exe, 00000009.00000002.915752711.0000000005D60000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: shipping documents pdf,.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
                Source: shipping documents pdf,.exe, 00000009.00000002.915752711.0000000005D60000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: shipping documents pdf,.exe, 00000009.00000002.915752711.0000000005D60000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: shipping documents pdf,.exe, 00000009.00000002.915752711.0000000005D60000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeMemory written: C:\Users\user\Desktop\shipping documents pdf,.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GynJIbTtnNRSp' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA0E.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess created: C:\Users\user\Desktop\shipping documents pdf,.exe C:\Users\user\Desktop\shipping documents pdf,.exeJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeProcess created: C:\Users\user\Desktop\shipping documents pdf,.exe C:\Users\user\Desktop\shipping documents pdf,.exeJump to behavior
                Source: shipping documents pdf,.exe, 00000009.00000002.913923564.0000000001630000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: shipping documents pdf,.exe, 00000009.00000002.913923564.0000000001630000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: shipping documents pdf,.exe, 00000009.00000002.913923564.0000000001630000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: shipping documents pdf,.exe, 00000009.00000002.913923564.0000000001630000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Users\user\Desktop\shipping documents pdf,.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Users\user\Desktop\shipping documents pdf,.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping documents pdf,.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 9.2.shipping documents pdf,.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.912756589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 9.2.shipping documents pdf,.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.912756589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: shipping documents pdf,.exe PID: 4620, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: shipping documents pdf,.exe PID: 4620, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 9.2.shipping documents pdf,.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.912756589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 9.2.shipping documents pdf,.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.912756589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: shipping documents pdf,.exe PID: 4620, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Masquerading1OS Credential DumpingSecurity Software Discovery211Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                shipping documents pdf,.exe15%ReversingLabsByteCode-MSIL.Trojan.Taskun

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\GynJIbTtnNRSp.exe15%ReversingLabsByteCode-MSIL.Trojan.Taskun

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                9.2.shipping documents pdf,.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://dOXutE.com0%Avira URL Cloudsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1shipping documents pdf,.exe, 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://dOXutE.comshipping documents pdf,.exe, 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://api.ipify.org%GETMozilla/5.0shipping documents pdf,.exe, 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		low
                http://DynDns.comDynDNSshipping documents pdf,.exe, 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cnshipping documents pdf,.exe, 00000000.00000003.652756374.000000000180D000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hashipping documents pdf,.exe, 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://api.ipify.org%shipping documents pdf,.exe, 00000009.00000002.914460740.0000000002DCA000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		low
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipshipping documents pdf,.exe, 00000009.00000002.912756589.0000000000402000.00000040.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown

                Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:33.0.0 White Diamond
                Analysis ID:452717
                Start date:22.07.2021
                Start time:18:54:12
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 8m 38s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:shipping documents pdf,.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:21
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@8/4@0/0
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 0.5% (good quality ratio 0.2%)
                • Quality average: 42.4%
                • Quality standard deviation: 42.1%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 44
                • Number of non-executed functions: 2
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .exe
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                18:55:25API Interceptor614x Sleep call for process: shipping documents pdf,.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASN

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipping documents pdf,.exe.log
                Process:C:\Users\user\Desktop\shipping documents pdf,.exe
                File Type:ASCII text, with CRLF line terminators
                Category:modified
                Size (bytes):1314
                Entropy (8bit):5.350128552078965
                Encrypted:false
                SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                Malicious:true
                Reputation:high, very likely benign file
                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                C:\Users\user\AppData\Local\Temp\tmpBA0E.tmp
                Process:C:\Users\user\Desktop\shipping documents pdf,.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1646
                Entropy (8bit):5.181845049267886
                Encrypted:false
                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGytn:cbhK79lNQR/rydbz9I3YODOLNdq3d
                MD5:85D05EBD87841449CDA38B8E261322A4
                SHA1:70D1EF89EF2D467AB990F81F6DBF3AA3621A98F8
                SHA-256:6B7FA78A455112E255E0C6CDF8A7A8DDDC9359306B163394BE3C10279ECA8F46
                SHA-512:1547EDEA26E7E3A68B2E168625A4F0DE2941B8A39B2DD7E6059ED833CE76630B4B12D1B71B396AEAB201A28C874E24F9F4181AE82D010FB4CC934ED23542CFB0
                Malicious:true
                Reputation:low
                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                C:\Users\user\AppData\Roaming\GynJIbTtnNRSp.exe
                Process:C:\Users\user\Desktop\shipping documents pdf,.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):829952
                Entropy (8bit):7.683280451805733
                Encrypted:false
                SSDEEP:12288:9bOVe0b97T02BtaUc0r47/NdWCbsLf2UwOlOAflBzzwZgTCibyaUVKnp:9bOVeKgkmlFYr26lOKlBzztCiuahp
                MD5:F0D2F3D209B220C52F1453C280574138
                SHA1:563EA7D4E0DF7D834A498D662340D528D5DFF3D1
                SHA-256:16CA9330A520FA98FB78BA1FB3AEF9E49EF6E0A9DF70A696A239E9F4925D2714
                SHA-512:B117E5500267193D9168F6DCBE4C07210973B9A8E554BCC5FB62DE6C5AD953B90CB50EA5C5A9469F110E0BC4D7D6DCB83BD35A73E8753883F9DD5A914F8AF73D
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 15%
                Reputation:low
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X|.`..............P..L...\.......k... ........@.. ....................................@..................................k..O........Y........................................................................... ............... ..H............text....K... ...L.................. ..`.rsrc....Y.......Z...N..............@..@.reloc..............................@..B.................k......H...........0...........Dr..P............................................0............( ...(!.........(.....o"....*.....................(#......($......(%......(&......('....*N..(....or...((....*&..()....*.s*........s+........s,........s-........s.........*....0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0..<........~.....(4.....,!r...p.....(5...o6...s7............~.....+..*.0......
                C:\Users\user\AppData\Roaming\GynJIbTtnNRSp.exe:Zone.Identifier
                Process:C:\Users\user\Desktop\shipping documents pdf,.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Reputation:high, very likely benign file
                Preview: [ZoneTransfer]....ZoneId=0

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.683280451805733
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                • Win32 Executable (generic) a (10002005/4) 49.75%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Windows Screen Saver (13104/52) 0.07%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:shipping documents pdf,.exe
                File size:829952
                MD5:f0d2f3d209b220c52f1453c280574138
                SHA1:563ea7d4e0df7d834a498d662340d528d5dff3d1
                SHA256:16ca9330a520fa98fb78ba1fb3aef9e49ef6e0a9df70a696a239e9f4925d2714
                SHA512:b117e5500267193d9168f6dcbe4c07210973b9a8e554bcc5fb62de6c5ad953b90cb50ea5c5a9469f110e0bc4d7d6dcb83bd35a73e8753883f9dd5a914f8af73d
                SSDEEP:12288:9bOVe0b97T02BtaUc0r47/NdWCbsLf2UwOlOAflBzzwZgTCibyaUVKnp:9bOVeKgkmlFYr26lOKlBzztCiuahp
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X|.`..............P..L...\.......k... ........@.. ....................................@................................

                File Icon

                Icon Hash:1d1949485b2d1e1e

                Static PE Info

                General

                Entrypoint:0x4c6be6
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0x60F97C58 [Thu Jul 22 14:10:32 2021 UTC]
                TLS Callbacks:
                CLR (.Net) Version:v4.0.30319
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                daa
                add byte ptr [ecx], bl
                and byte ptr [ebx], bh
                add byte ptr [ebx], bl
                inc dword ptr [eax]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xc6b940x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x59bc.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000xc4bf40xc4c00False0.82457984236data7.70350077702IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rsrc0xc80000x59bc0x5a00False0.353776041667data4.53523517681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0xce0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0xc81600x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294901502
                RT_ICON0xc92080x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295
                RT_GROUP_ICON0xcd4300x22data
                RT_VERSION0xcd4540x37cdata
                RT_MANIFEST0xcd7d00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Version Infos

                DescriptionData
                Translation0x0000 0x04b0
                LegalCopyrightCopyright 2011
                Assembly Version1.0.0.0
                InternalNameAsyncLocalValueChangedAr.exe
                FileVersion1.0.0.0
                CompanyName
                LegalTrademarks
                Comments
                ProductNamemessageController
                ProductVersion1.0.0.0
                FileDescriptionmessageController
                OriginalFilenameAsyncLocalValueChangedAr.exe

                Network Behavior

                No network behavior found

                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: shipping documents pdf,.exe PID: 6696 Parent PID: 5884

                General

                Start time:18:55:00
                Start date:22/07/2021
                Path:C:\Users\user\Desktop\shipping documents pdf,.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\shipping documents pdf,.exe'
                Imagebase:0xcd0000
                File size:829952 bytes
                MD5 hash:F0D2F3D209B220C52F1453C280574138
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Reputation:low

                Chronological Activities

                Analysis Process: schtasks.exe PID: 6100 Parent PID: 6696

                General

                Start time:18:55:27
                Start date:22/07/2021
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GynJIbTtnNRSp' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA0E.tmp'
                Imagebase:0x1140000
                File size:185856 bytes
                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: conhost.exe PID: 740 Parent PID: 6100

                General

                Start time:18:55:27
                Start date:22/07/2021
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff724c50000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: shipping documents pdf,.exe PID: 5704 Parent PID: 6696

                General

                Start time:18:55:28
                Start date:22/07/2021
                Path:C:\Users\user\Desktop\shipping documents pdf,.exe
                Wow64 process (32bit):false
                Commandline:C:\Users\user\Desktop\shipping documents pdf,.exe
                Imagebase:0x1e0000
                File size:829952 bytes
                MD5 hash:F0D2F3D209B220C52F1453C280574138
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                Chronological Activities

                Analysis Process: shipping documents pdf,.exe PID: 4620 Parent PID: 6696

                General

                Start time:18:55:28
                Start date:22/07/2021
                Path:C:\Users\user\Desktop\shipping documents pdf,.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\Desktop\shipping documents pdf,.exe
                Imagebase:0x8a0000
                File size:829952 bytes
                MD5 hash:F0D2F3D209B220C52F1453C280574138
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.914363529.0000000002D21000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.912756589.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.912756589.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                Reputation:low

                Chronological Activities

                Disassembly

                Code Analysis

                Reset < >

                  Analysis Process: shipping documents pdf,.exe PID: 5704 Parent PID: 6696 shipping documents pdf,.exeCOMMON

                  Executed Functions

                  Non-executed Functions

                  Function 001E2D81, Relevance: 2.8, Instructions: 2789COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000008.00000002.707041635.00000000001E2000.00000002.00020000.sdmp, Offset: 001E0000, based on PE: true
                  • Associated: 00000008.00000002.707023958.00000000001E0000.00000002.00020000.sdmp Download File
                  • Associated: 00000008.00000002.707144433.00000000002A8000.00000002.00020000.sdmp Download File
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 930f1037e7acf183b2bc3237f6af822ec289b14ffe4d2c15b02b681fc51eb25a
                  • Instruction ID: 273aa03f935e8a18f59d352b42a1b1b27524091ab0f91c769d6111d983fa2aec
                  • Opcode Fuzzy Hash: 930f1037e7acf183b2bc3237f6af822ec289b14ffe4d2c15b02b681fc51eb25a
                  • Instruction Fuzzy Hash: 3223775240FBC25FC7038B742C756E6BFB56EA321471E08CBD4C18F5A3D2185A6AE762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Analysis Process: shipping documents pdf,.exe PID: 4620 Parent PID: 6696 shipping documents pdf,.exeCOMMON

                  Executed Functions

                  Function 010A5AE1, Relevance: 4.3, Strings: 3, Instructions: 513COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID: D0.l$D0.l$D0.l
                  • API String ID: 0-3472312390
                  • Opcode ID: 814f5f4e4eef35a3b88a4589655e47d41231bc0525db9cd3c1a4d210bbed6a91
                  • Instruction ID: d44d6a8cae83964c431b9bdce18bfbdfb8bb3b49fb24adb69dcfa70fd531097f
                  • Opcode Fuzzy Hash: 814f5f4e4eef35a3b88a4589655e47d41231bc0525db9cd3c1a4d210bbed6a91
                  • Instruction Fuzzy Hash: 1812A070A002198FDB14DFA8C894BAEBBF2BF88304F558569E545DB395DB34DD42CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A6850, Relevance: .9, Instructions: 891COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 77e04b504177c7be450c356b6f17f0d358ea23245d55071c01b3f149000504ea
                  • Instruction ID: b700f8b573f7140613a9baf18efcfcb7954f4d5d09bfea2757d507d54c072670
                  • Opcode Fuzzy Hash: 77e04b504177c7be450c356b6f17f0d358ea23245d55071c01b3f149000504ea
                  • Instruction Fuzzy Hash: 0E825C71A00209DFCB15CFA8C484AAEBBF2FF48314F59C599E9859B2A1D732ED41CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A6118, Relevance: .4, Instructions: 445COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 64d3762643d2e8e3e6cebcfea420e51c1102bbe4b2d4dbbe7e5659ab4e233c65
                  • Instruction ID: 199857c01dfa8118289f8a41174c954c30588a5ac15f292e4bf5a3cb4730c1d7
                  • Opcode Fuzzy Hash: 64d3762643d2e8e3e6cebcfea420e51c1102bbe4b2d4dbbe7e5659ab4e233c65
                  • Instruction Fuzzy Hash: 2A027F71A00119DFDB55CFA8C884AADBBF2FF48300F5980A9E995AB365DB32DD41CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02AC6B1F, Relevance: 6.1, APIs: 4, Instructions: 138threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 02AC6BB0
                  • GetCurrentThread.KERNEL32 ref: 02AC6BED
                  • GetCurrentProcess.KERNEL32 ref: 02AC6C2A
                  • GetCurrentThreadId.KERNEL32 ref: 02AC6C83
                  Memory Dump Source
                  • Source File: 00000009.00000002.914029837.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: c222b49d84d7440609118b7fbee43080cfca43559874782ce8a102c5650e50ac
                  • Instruction ID: 69f321f625bf4a50139432306e096891d82771e3a1d816617499b94d4856cab5
                  • Opcode Fuzzy Hash: c222b49d84d7440609118b7fbee43080cfca43559874782ce8a102c5650e50ac
                  • Instruction Fuzzy Hash: 8F5179B09043898FCB10CFA9D588BEEBFF0EF89318F24859EE545A7291CB745844CB65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02AC6B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 02AC6BB0
                  • GetCurrentThread.KERNEL32 ref: 02AC6BED
                  • GetCurrentProcess.KERNEL32 ref: 02AC6C2A
                  • GetCurrentThreadId.KERNEL32 ref: 02AC6C83
                  Memory Dump Source
                  • Source File: 00000009.00000002.914029837.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: 2969ae14ff70e2c9b0979588ae9ce081156b24ce2d8ef6993eec856494386087
                  • Instruction ID: 36b6aca541015f5db2e29ac1f85b20f9050eba9281ead180500884d90f5c48ef
                  • Opcode Fuzzy Hash: 2969ae14ff70e2c9b0979588ae9ce081156b24ce2d8ef6993eec856494386087
                  • Instruction Fuzzy Hash: 295146B0A046488FDB54CFA9D688BAEBBF4EF88318F24859DE109A7350DB745844CF65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A55C1, Relevance: 2.7, Strings: 2, Instructions: 225COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID: Xc.l$Xc.l
                  • API String ID: 0-2922980055
                  • Opcode ID: dbfda62190939dc5c0268df5495258009ebfa5d1994cdcd3873f13b346b2f71b
                  • Instruction ID: 4b1e657f8efcbe9951fec262bdda7a5af24e1ba210f312ea11e6ef79136a0f8c
                  • Opcode Fuzzy Hash: dbfda62190939dc5c0268df5495258009ebfa5d1994cdcd3873f13b346b2f71b
                  • Instruction Fuzzy Hash: BB81AF74A00605CFDB58CFADDC8496EBBF2BF89214B9580A9D946EB361D730EC41CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A35C0, Relevance: 1.6, Strings: 1, Instructions: 373COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID: \)l
                  • API String ID: 0-3906975798
                  • Opcode ID: d59dc1c8b869d2faac4f2b75c34b5b40f9f21303656f38577448a5c8f4fad877
                  • Instruction ID: d741a1c0ae868359f73770b3cdadec5f9524470d647edc5f7ce7ca36071c7ad3
                  • Opcode Fuzzy Hash: d59dc1c8b869d2faac4f2b75c34b5b40f9f21303656f38577448a5c8f4fad877
                  • Instruction Fuzzy Hash: 20C17A74E002148FDB65DBA8C494BAEBBF2FF89310F558569E846EF391DB349C028B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02AC5184, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                  Download Yara Rule
                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02AC52A2
                  Memory Dump Source
                  • Source File: 00000009.00000002.914029837.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: d62cf0b2b4ffd8c42472871331e732dcf9bcf2c450f99f7cd58bc636389e2af7
                  • Instruction ID: 1c5bdaec37e6637f4ba219e8d7e71eec6e69c344de1d17a27eb74afe27c9b4bc
                  • Opcode Fuzzy Hash: d62cf0b2b4ffd8c42472871331e732dcf9bcf2c450f99f7cd58bc636389e2af7
                  • Instruction Fuzzy Hash: D951B0B1D103499FDB14CFA9C884ADEFBB5BF48314F64812EE815AB210D775A845CF90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02AC5190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                  Download Yara Rule
                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02AC52A2
                  Memory Dump Source
                  • Source File: 00000009.00000002.914029837.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: 6b8dec77eb4aabba0039d68ce8192a2e1d0cf5da894f418a22c258dfa229c071
                  • Instruction ID: 64a0b58aff8cc90dbb8de6b30c0be2331a977a59ff2fe570cb013d8ad2b860d5
                  • Opcode Fuzzy Hash: 6b8dec77eb4aabba0039d68ce8192a2e1d0cf5da894f418a22c258dfa229c071
                  • Instruction Fuzzy Hash: B641AFB1D103499FDB14CF99C884ADEFBF5BF88314F64812AE819AB210DB75A845CF90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02AC6E3A, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02AC6DFF
                  Memory Dump Source
                  • Source File: 00000009.00000002.914029837.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 28a1311e5b5a8f218a01cee6d4690a009d94f71ec53f5c75c49e5044cf4b6524
                  • Instruction ID: 5ad0b69e0fefe91c7ca8bd60c46456946c80549ed34aab80f41c35617fa32c61
                  • Opcode Fuzzy Hash: 28a1311e5b5a8f218a01cee6d4690a009d94f71ec53f5c75c49e5044cf4b6524
                  • Instruction Fuzzy Hash: 4241B1B4E803448FE751EFA0E984BE93BB1FB58714F51492DE9058B796DB388816CF21
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A3618, Relevance: 1.6, Strings: 1, Instructions: 359COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID: \)l
                  • API String ID: 0-3906975798
                  • Opcode ID: 148e573e27fd7e2edb7c165d42d6ce8b2ebac0737a6271fddd52304274cbbb21
                  • Instruction ID: 4ef3b6f647e663e4194e822da6c77b177046d1a76793ec275e6149f5aff1c504
                  • Opcode Fuzzy Hash: 148e573e27fd7e2edb7c165d42d6ce8b2ebac0737a6271fddd52304274cbbb21
                  • Instruction Fuzzy Hash: 66D16B74F002148FDB64DBA8C494BAEBBF2FF89310F558569E846EF381DA749C428B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02AC6964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                  Download Yara Rule
                  APIs
                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 02AC7CF9
                  Memory Dump Source
                  • Source File: 00000009.00000002.914029837.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                  Similarity
                  • API ID: CallProcWindow
                  • String ID:
                  • API String ID: 2714655100-0
                  • Opcode ID: 7e444e7bf7bf9c26be652c045234ab37a62e2943476ec72c67b4bdfdadbecb95
                  • Instruction ID: 8d6aec3d71d75fe352b75dde45824d6c8d77bf48777c9217b6fdd6e1dff19adb
                  • Opcode Fuzzy Hash: 7e444e7bf7bf9c26be652c045234ab37a62e2943476ec72c67b4bdfdadbecb95
                  • Instruction Fuzzy Hash: 48413CB49043098FDB14CF99C484AAAFBF5FB88314F24845DE515A7361CB34A841CFA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A3615, Relevance: 1.6, Strings: 1, Instructions: 335COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID: \)l
                  • API String ID: 0-3906975798
                  • Opcode ID: c1563e89b9f944762575875279db75355d15798da6c6785a24466199a5f46f27
                  • Instruction ID: 1ad8c70efc35d9a55100012ba707c1b3a7ac640d15bee31ec5476b5a3ac82414
                  • Opcode Fuzzy Hash: c1563e89b9f944762575875279db75355d15798da6c6785a24466199a5f46f27
                  • Instruction Fuzzy Hash: 56C16C74E002148FDB64DBA8C494BAEBBF2FF89310F558569E846EF381DB749C428B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02AC6D72, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02AC6DFF
                  Memory Dump Source
                  • Source File: 00000009.00000002.914029837.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: a934c5579929d17a7c15ffe47e525caeee4042ade5f2628485e17dab511496f9
                  • Instruction ID: f18c82f0f68b6d36c1a91aaeb68aadc3fa25934b6b2dd472404d63fc147496ba
                  • Opcode Fuzzy Hash: a934c5579929d17a7c15ffe47e525caeee4042ade5f2628485e17dab511496f9
                  • Instruction Fuzzy Hash: 932100B5D002489FCB10CFA9D484AEEBBF4FF48324F14801AE954A7310C378A945CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02AC6D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02AC6DFF
                  Memory Dump Source
                  • Source File: 00000009.00000002.914029837.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 737d3fcf4bea5f9199e5086d4bbf872bef332244c73e5fc5af8679208ec734b4
                  • Instruction ID: 0a02ecfb594bacf83209eac7b8c8fd34fea1ad091775e6fe85ebd86d5dfc0780
                  • Opcode Fuzzy Hash: 737d3fcf4bea5f9199e5086d4bbf872bef332244c73e5fc5af8679208ec734b4
                  • Instruction Fuzzy Hash: 5F21D5B5D002489FDB10CF99D584AEEFBF8FB48324F14841AE914A7350D779A954CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02ACBDF9, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                  Download Yara Rule
                  APIs
                  • RtlEncodePointer.NTDLL(00000000), ref: 02ACBE82
                  Memory Dump Source
                  • Source File: 00000009.00000002.914029837.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                  Similarity
                  • API ID: EncodePointer
                  • String ID:
                  • API String ID: 2118026453-0
                  • Opcode ID: b4d6b28848d7ac622282d6d6a981dce4193c470ac3d03bd3ca7031147b9c5fb9
                  • Instruction ID: e5903575c954bb355c805f962c04743f222a827237a7208ca22e1a78c29e1ff4
                  • Opcode Fuzzy Hash: b4d6b28848d7ac622282d6d6a981dce4193c470ac3d03bd3ca7031147b9c5fb9
                  • Instruction Fuzzy Hash: D221CDB19053448FDB20CFA5C88879ABFF4EB09318F24896ED448E3682C7396508CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02ACBE08, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • RtlEncodePointer.NTDLL(00000000), ref: 02ACBE82
                  Memory Dump Source
                  • Source File: 00000009.00000002.914029837.0000000002AC0000.00000040.00000001.sdmp, Offset: 02AC0000, based on PE: false
                  Similarity
                  • API ID: EncodePointer
                  • String ID:
                  • API String ID: 2118026453-0
                  • Opcode ID: 14fad169d7f6652b8032e527b7847b1b6d23c690c9b2c9c5662ad7d295d5e667
                  • Instruction ID: 6769f7e7c107d85ffb490306653fc0ebc53d91b521f86af0ab49f99f7e1a40b1
                  • Opcode Fuzzy Hash: 14fad169d7f6652b8032e527b7847b1b6d23c690c9b2c9c5662ad7d295d5e667
                  • Instruction Fuzzy Hash: 12119DB1D003088FDB20DFA9C58879EBBF4FB08718F24892ED405A3641C7396544CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A001A, Relevance: .6, Instructions: 566COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a3869385643cd662deb6279d898358225605359db087b2925e5a2e0ab44915bc
                  • Instruction ID: efe1112403eeec26705faa3bfee6ddbb61cc7ca26e0474627f2b48a0e3897c91
                  • Opcode Fuzzy Hash: a3869385643cd662deb6279d898358225605359db087b2925e5a2e0ab44915bc
                  • Instruction Fuzzy Hash: D54251B4A013288FCB65EB20DC987ADB7B6AF88314F1080D9D90AA3350CF755E85DF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A0028, Relevance: .6, Instructions: 563COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e25e00e26f4bee14632eeee80e341b81183394852615c124b4c7367c8cf9028e
                  • Instruction ID: 9e55f90f340c004a043486ef8b39c2fccf6d25dea9eefd0ea5ba846ff4dfe004
                  • Opcode Fuzzy Hash: e25e00e26f4bee14632eeee80e341b81183394852615c124b4c7367c8cf9028e
                  • Instruction Fuzzy Hash: 4D4241B4A113288FCB65EB20DC987ADB7BAAF88314F5080D9D90AA3350CF755E85DF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A003C, Relevance: .6, Instructions: 555COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bb88b370930ecfc3bad99fda7d7bffa1f9881f19e326844ac412b491ac5236aa
                  • Instruction ID: ee109c3c19f6061749a067cf71aa337d9f05184bc2204d1120f612de993338f8
                  • Opcode Fuzzy Hash: bb88b370930ecfc3bad99fda7d7bffa1f9881f19e326844ac412b491ac5236aa
                  • Instruction Fuzzy Hash: 01423FB4A113288FCB65EB20DC987ADB7BAAF88314F5080D9D90AA3350CF755E85DF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A0040, Relevance: .6, Instructions: 554COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 497854dc9c98926d93847334eca31d31501c4f0f000fc12c9713aca53bebfbdd
                  • Instruction ID: f6ad8bc43c57d79b8148130763541761909e77f29a64e48eedf39ccca97588aa
                  • Opcode Fuzzy Hash: 497854dc9c98926d93847334eca31d31501c4f0f000fc12c9713aca53bebfbdd
                  • Instruction Fuzzy Hash: 86423FB4A113288FCB65EB20DC987ADB7BAAF88314F5080D9D90AA3350CF755E85DF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A51C8, Relevance: .3, Instructions: 341COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ea3115c3ec162ec5390e7c0f0d90d21d16805141c7c75418faa3c0211d9b5943
                  • Instruction ID: 308f3c37f49a8005bff82c479efc4bf2708caf75d05c67401622c81c5e505ab7
                  • Opcode Fuzzy Hash: ea3115c3ec162ec5390e7c0f0d90d21d16805141c7c75418faa3c0211d9b5943
                  • Instruction Fuzzy Hash: 52B1E0317042148FDB159BA8D894B7EB7E2BFC9214F458568EA86CB395DF38CC06CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A8D80, Relevance: .2, Instructions: 227COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cbc767e0585f8fdf3270c9217412c124f26eea6e696dafd442d518034c744972
                  • Instruction ID: bde05a624fb8596df95a56b6a2460be182b8ae0b8eb2fb6532f1f5ec18f2f5cb
                  • Opcode Fuzzy Hash: cbc767e0585f8fdf3270c9217412c124f26eea6e696dafd442d518034c744972
                  • Instruction Fuzzy Hash: CF918231A04259DFCB15CFA8C884A6EBBB5FF45311F46C49AEA959B362C730EC41CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A75C8, Relevance: .2, Instructions: 175COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2d59753f29111abc90a13bcd532f56b33382a56f5d8f9f54495bd098cdccb5e6
                  • Instruction ID: 9456e819eea7ace18c2091a89bce07f631fe095a1da12e5530b13ec18f094608
                  • Opcode Fuzzy Hash: 2d59753f29111abc90a13bcd532f56b33382a56f5d8f9f54495bd098cdccb5e6
                  • Instruction Fuzzy Hash: 4551AD313045018FDB54DFBDC898B6A7BE9BF4964075580FAE546CB262EB22DC01CB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A73D8, Relevance: .1, Instructions: 110COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 87ce13d054ae3e9f099acf3b20fef7e1e560f0a360443da3dc67bbc2234b580d
                  • Instruction ID: 2a36812c93a621d723a651e688b6d1bd16e8b55152943445a83c21ddb639c662
                  • Opcode Fuzzy Hash: 87ce13d054ae3e9f099acf3b20fef7e1e560f0a360443da3dc67bbc2234b580d
                  • Instruction Fuzzy Hash: 254158756002059FDB15DFA8D888A6E7BB6FF88311F4180A9F946CB3A1CB72DD41CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A4FA8, Relevance: .1, Instructions: 107COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c54b53c362ae7f3f96c2c51f8405ca1a39cc670f74ddc56ef685becb74a3542a
                  • Instruction ID: f7539645e209d126ec4fd356ee31a2643dc3215b5b4c016806ef72e1b13b4d53
                  • Opcode Fuzzy Hash: c54b53c362ae7f3f96c2c51f8405ca1a39cc670f74ddc56ef685becb74a3542a
                  • Instruction Fuzzy Hash: EF41BF31740109DFCF529FA8D854AAE3BE6BF88300F548064FA4ACB252CB36CC21DB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A7818, Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ef928e725162fd2a3a0b28281988fdeeb050701a71be73d75a64775153cc2f77
                  • Instruction ID: ba8c3a4e77d9bd0e4e698a9c57397ade277b4ffbf5ab13c178c7750e8dcac0c6
                  • Opcode Fuzzy Hash: ef928e725162fd2a3a0b28281988fdeeb050701a71be73d75a64775153cc2f77
                  • Instruction Fuzzy Hash: A62104307542184BDB2666B9C49437E36CBEFC0614F54C0BAD582CB396EE6BCC42E741
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A7710, Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1be1b8021ba912fd50ab27ad3cff1003df263e01ffc1cd385f266e75a30b9f81
                  • Instruction ID: 97551d0237a9f74a0ce0421155e0f12e459df65450c148167ad65d3f1e87ef5e
                  • Opcode Fuzzy Hash: 1be1b8021ba912fd50ab27ad3cff1003df263e01ffc1cd385f266e75a30b9f81
                  • Instruction Fuzzy Hash: 9C21F7353042498FDB50DEAAD840A7F7FEABF85210F94C4A6E592C7345EB72C840CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A7814, Relevance: .1, Instructions: 83COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7fabd6f1d05aab0032099e70a88de3437b6b765ae4b0d7f7b4313031d4d504f2
                  • Instruction ID: 40da44d765be95ce7921caddb9e108538fd9859d9a70b8c66912d1efb7ca9a1c
                  • Opcode Fuzzy Hash: 7fabd6f1d05aab0032099e70a88de3437b6b765ae4b0d7f7b4313031d4d504f2
                  • Instruction Fuzzy Hash: A32157303542184BCB2666BDC89423D36CBEFC0514B44C0BAE982CB796EF26CC02E742
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A3A89, Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bc65850efe296e6134ef158711e3df8a97616b5b8f2b8e02f7320a8e41804960
                  • Instruction ID: 60b806f9428938f6f46515435c3108a44cfd92a592cd7f111bb24387b1a1b6b4
                  • Opcode Fuzzy Hash: bc65850efe296e6134ef158711e3df8a97616b5b8f2b8e02f7320a8e41804960
                  • Instruction Fuzzy Hash: CF110A3170D2944FC7054BB558742BBBFABBFCB210B4544BBD186CF286DA284C458362
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A54E0, Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f3b01d7a2311afd972f7844ff5ddea64f10c6652ca0f61ddb4e3b10b0d43a4f9
                  • Instruction ID: 2c448fda6437a36b3d2774690fd088ccfa2e91854c30e0ed8b3b289e94d7bb9a
                  • Opcode Fuzzy Hash: f3b01d7a2311afd972f7844ff5ddea64f10c6652ca0f61ddb4e3b10b0d43a4f9
                  • Instruction Fuzzy Hash: 4811C6317015118BD7159A79DCA467E77D7FFC4661B5905A8E986CB351DF30DC028BC0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A6108, Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 41ec7426949e5fd79dcca921ad86b80e6750a919d309290eab4d2da4fc0e57ad
                  • Instruction ID: 0a5c6591aedb4fe2ea409febe9c46f8750991f976b221b0d33c915c758cffed8
                  • Opcode Fuzzy Hash: 41ec7426949e5fd79dcca921ad86b80e6750a919d309290eab4d2da4fc0e57ad
                  • Instruction Fuzzy Hash: E2219D71A00208DFDB21CF98C848BAABBF5EF14310F48C4AAE4498B652D776E959CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A54ED, Relevance: .1, Instructions: 60COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eefc7d54bede1daa6bce3cefd1363200f1d9dd5f994703d7d03d35f731a235ae
                  • Instruction ID: c2824db5e2fe23dd7a12ef7db5bbb49d8a644406a26b0ff6a2822d4b45c81871
                  • Opcode Fuzzy Hash: eefc7d54bede1daa6bce3cefd1363200f1d9dd5f994703d7d03d35f731a235ae
                  • Instruction Fuzzy Hash: 3D110231700A118BD3159A79DCA463EB7D3BFC4661B5901A8E586CB351DF30CC028BC0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A8F49, Relevance: .1, Instructions: 55COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6594af58e8f46791431d7d0e1f0df27988124f012b72624833b87043d66f1b78
                  • Instruction ID: 0903f563d8b31184a3065c265b75bbbf1adc1761773ba6b877b7585fa6e0b9f1
                  • Opcode Fuzzy Hash: 6594af58e8f46791431d7d0e1f0df27988124f012b72624833b87043d66f1b78
                  • Instruction Fuzzy Hash: 3411BC70E0025A9FCB01DFA9C8446AFBFF9EF89300F00846BE954E3242D7748A04CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A4FE8, Relevance: .1, Instructions: 54COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 64fd4bfc61212037531decc4d84870c95b80132f5dc7de4fceae7984a4a5d8f2
                  • Instruction ID: f044b695518ee464e206af3e1ec87a0d0f678a2c58bc320cbbc65a6d5af3d3a0
                  • Opcode Fuzzy Hash: 64fd4bfc61212037531decc4d84870c95b80132f5dc7de4fceae7984a4a5d8f2
                  • Instruction Fuzzy Hash: 4D117C32644119DFCB219FA8E848F6E7BE1FF58310F404069FA4A8B252D735C965DBD0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A4FEF, Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 678d3f8838d76fa5f93b247c1348324e448a4ff20614441fd3c6cf8012e67eb5
                  • Instruction ID: e55249ff158cab4dcda287c013cfa27910bda48be2b60d9861f31cb4e84a8558
                  • Opcode Fuzzy Hash: 678d3f8838d76fa5f93b247c1348324e448a4ff20614441fd3c6cf8012e67eb5
                  • Instruction Fuzzy Hash: 6D115E32640119DFCB619F68E884FAE7BE1BF58310F404069FA4A8B252C735C965DBD0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A5128, Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 998918dcf383191701acd6c9ea214b68c2da2710240c6b72e9443501cd490c2b
                  • Instruction ID: 329a150df5735aecff9edf60a6dfba0cb80ca0e6e8c167d35948cf534fc11be2
                  • Opcode Fuzzy Hash: 998918dcf383191701acd6c9ea214b68c2da2710240c6b72e9443501cd490c2b
                  • Instruction Fuzzy Hash: 0501D672B40014AF8B45DE99AC10BBF3BE7EBCCB60F548429F645C7281DA75DD129BA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A5130, Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c2912c3937b9e4a7b77f836356cf874ec56cf1272024f42b22f04155a8e281bd
                  • Instruction ID: 8721f98fa4e344b55056509e404ae9d5ead79eddfdc348761e1193fa22a70916
                  • Opcode Fuzzy Hash: c2912c3937b9e4a7b77f836356cf874ec56cf1272024f42b22f04155a8e281bd
                  • Instruction Fuzzy Hash: BBF0C272A40014AFDB01CE99AC00BBF3FA6EBC8760F188026F605C7240DA31D9219B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A5137, Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1813e3e5512b263363b47b904d7bef5a88907f97fd2621b21c7dc4f2527380ce
                  • Instruction ID: d4cfe763a1ca8e6f03af2dc4928413f8d2f4f4f32159f9dad765075623bf6419
                  • Opcode Fuzzy Hash: 1813e3e5512b263363b47b904d7bef5a88907f97fd2621b21c7dc4f2527380ce
                  • Instruction Fuzzy Hash: 4AF0C232A400146FDB11CE99AC00BFF3FA6EBC8750F188025F645C3241CA318922DB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A41F4, Relevance: .0, Instructions: 17COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5bc1207ef83ae16ed1b298540c0f73568bd90d3d842f1021e1fe8eb385639059
                  • Instruction ID: e39f87ab99c9bc65bf68444a1c60016da504009ccf024866a62ec66c8a732af2
                  • Opcode Fuzzy Hash: 5bc1207ef83ae16ed1b298540c0f73568bd90d3d842f1021e1fe8eb385639059
                  • Instruction Fuzzy Hash: 91D05B7EF400198FC758DBB5B8881ADF363E7D8221B05C175D906C3554DF7019559B50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A586F, Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cda302877acd6bc6d6b0bcdad38308f72891305db7da040ef81c049bf6a402fc
                  • Instruction ID: 577be5e68426042160c2d27bfdd4ce1701e0c332a4786a77e63d0edb03ed47ad
                  • Opcode Fuzzy Hash: cda302877acd6bc6d6b0bcdad38308f72891305db7da040ef81c049bf6a402fc
                  • Instruction Fuzzy Hash: B3D0A73185C1094AC354BBA0A8411183716BE913083408A30908A4925BEA7546094781
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A5878, Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 07677b9d1dbb94e565ce281954438dfc8e9e45ec9382d90a1ce505cfa877c2c3
                  • Instruction ID: 88774dcb7335275d2bc5e628f5b282ba7ccdd528bb50b355c8589bb38a16dd84
                  • Opcode Fuzzy Hash: 07677b9d1dbb94e565ce281954438dfc8e9e45ec9382d90a1ce505cfa877c2c3
                  • Instruction Fuzzy Hash: F7D0133185C1194FD554B760F8411553717BAE13093418E71D1494935FDF75571947C1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A587C, Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 462c846807ef470db9ec98cfab9c6510f46d20641394def83d5099aa4394433a
                  • Instruction ID: 1513017c7730a77180c2a1ac6a6e45882ee2fd1175f642fc2fa4d1a129ae2472
                  • Opcode Fuzzy Hash: 462c846807ef470db9ec98cfab9c6510f46d20641394def83d5099aa4394433a
                  • Instruction Fuzzy Hash: F4D0A7304482094AD350BB20E84251533166B92309B018960D0094925BDBBA06098741
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 010A5880, Relevance: .0, Instructions: 12COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f6db4e1c8cd7a7d902022b5f644f37507c42be8528fcfb1f3f8fd9fbbeec12d2
                  • Instruction ID: bfec15dd6b1f27fe5656bdcae28b83a544c0d3712ece205e49902fc7600b9981
                  • Opcode Fuzzy Hash: f6db4e1c8cd7a7d902022b5f644f37507c42be8528fcfb1f3f8fd9fbbeec12d2
                  • Instruction Fuzzy Hash: 99C0123148821D4A9560BB60F842515331B6AD12083418E71E1094936F9FB966198795
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 010A5A60, Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.913852517.00000000010A0000.00000040.00000001.sdmp, Offset: 010A0000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID: )l$)l$)l$)l
                  • API String ID: 0-413331778
                  • Opcode ID: 5c1013fe7b50131ceff544a2e3b6fe2aed93afee839652fa2da5c6a89c8e01d7
                  • Instruction ID: 1cf79ca02b58bb41ffc507605517f121e770b34fa248ac749dca84d526486319
                  • Opcode Fuzzy Hash: 5c1013fe7b50131ceff544a2e3b6fe2aed93afee839652fa2da5c6a89c8e01d7
                  • Instruction Fuzzy Hash: 2C01D4327102158F87509AAEC8A0A2EB7E9BFAA76075541B9E586CF371DA30DC418780
                  Uniqueness

                  Uniqueness Score: -1.00%