Loading ...

Play interactive tourEdit tour

Analysis Report Skilmark Co. Ltd - Purchase Order 022021.pdf.exe

Overview

General Information

Sample Name:Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
Analysis ID:356502
MD5:d765dcbdabed2ed1dd0fdd8800f221ed
SHA1:be68fc678cca6434577d7af59abf129569ab7b47
SHA256:d2693c3162e3ea906bf7fc546a07985a3bf55bbfb78f52015265cf7140eed31f
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Skilmark Co. Ltd - Purchase Order 022021.pdf.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe' MD5: D765DCBDABED2ED1DD0FDD8800F221ED)
    • schtasks.exe (PID: 7004 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x40f8d:$x1: NanoCore.ClientPluginHost
  • 0x737ad:$x1: NanoCore.ClientPluginHost
  • 0x40fca:$x2: IClientNetworkHost
  • 0x737ea:$x2: IClientNetworkHost
  • 0x44afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x7731d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x40cf5:$a: NanoCore
    • 0x40d05:$a: NanoCore
    • 0x40f39:$a: NanoCore
    • 0x40f4d:$a: NanoCore
    • 0x40f8d:$a: NanoCore
    • 0x73515:$a: NanoCore
    • 0x73525:$a: NanoCore
    • 0x73759:$a: NanoCore
    • 0x7376d:$a: NanoCore
    • 0x737ad:$a: NanoCore
    • 0x40d54:$b: ClientPlugin
    • 0x40f56:$b: ClientPlugin
    • 0x40f96:$b: ClientPlugin
    • 0x73574:$b: ClientPlugin
    • 0x73776:$b: ClientPlugin
    • 0x737b6:$b: ClientPlugin
    • 0x40e7b:$c: ProjectData
    • 0x7369b:$c: ProjectData
    • 0x41882:$d: DESCrypto
    • 0x740a2:$d: DESCrypto
    • 0x4924e:$e: KeepAlive
    00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.253583069.0000000002E91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 4 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.2ec6bf0.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1018d:$x1: NanoCore.ClientPluginHost
          • 0x429ad:$x1: NanoCore.ClientPluginHost
          • 0x101ca:$x2: IClientNetworkHost
          • 0x429ea:$x2: IClientNetworkHost
          • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          • 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xff05:$x1: NanoCore Client.exe
          • 0x42725:$x1: NanoCore Client.exe
          • 0x1018d:$x2: NanoCore.ClientPluginHost
          • 0x429ad:$x2: NanoCore.ClientPluginHost
          • 0x117c6:$s1: PluginCommand
          • 0x43fe6:$s1: PluginCommand
          • 0x117ba:$s2: FileCommand
          • 0x43fda:$s2: FileCommand
          • 0x1266b:$s3: PipeExists
          • 0x44e8b:$s3: PipeExists
          • 0x18422:$s4: PipeCreated
          • 0x4ac42:$s4: PipeCreated
          • 0x101b7:$s5: IClientLoggingHost
          • 0x429d7:$s5: IClientLoggingHost
          0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
            • 0xfef5:$a: NanoCore
            • 0xff05:$a: NanoCore
            • 0x10139:$a: NanoCore
            • 0x1014d:$a: NanoCore
            • 0x1018d:$a: NanoCore
            • 0x42715:$a: NanoCore
            • 0x42725:$a: NanoCore
            • 0x42959:$a: NanoCore
            • 0x4296d:$a: NanoCore
            • 0x429ad:$a: NanoCore
            • 0xff54:$b: ClientPlugin
            • 0x10156:$b: ClientPlugin
            • 0x10196:$b: ClientPlugin
            • 0x42774:$b: ClientPlugin
            • 0x42976:$b: ClientPlugin
            • 0x429b6:$b: ClientPlugin
            • 0x1007b:$c: ProjectData
            • 0x4289b:$c: ProjectData
            • 0x10a82:$d: DESCrypto
            • 0x432a2:$d: DESCrypto
            • 0x1844e:$e: KeepAlive
            Click to see the 4 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, ProcessId: 7048, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe' , ParentImage: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, ParentProcessId: 6424, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp', ProcessId: 7004
            Sigma detected: Suspicious Double ExtensionShow sources
            Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, CommandLine: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, CommandLine|base64offset|contains: ., Image: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, NewProcessName: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe' , ParentImage: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, ParentProcessId: 6424, ProcessCommandLine: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, ProcessId: 7048

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\OEpDLNVZW.exeReversingLabs: Detection: 10%
            Multi AV Scanner detection for submitted fileShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeReversingLabs: Detection: 10%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORY
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\OEpDLNVZW.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeJoe Sandbox ML: detected

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0921F590
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0921F880
            Source: global trafficTCP traffic: 192.168.2.3:49708 -> 45.137.22.36:4837
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253583069.0000000002E91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219943805.0000000005F05000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219952811.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlu
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.220665177.0000000005EFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.220995450.0000000005ED9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlh
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221721195.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com?
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221721195.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.224206853.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF0
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221721195.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTFJ
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221721195.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comM.TTF
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221493033.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.224206853.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceva
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.223872505.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoituJ
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.223872505.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtq
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.214576676.0000000005EDB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic-
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.216202308.0000000005EC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/4
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.216253909.0000000005EC6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/I
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.215838737.0000000005ECE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.215993988.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnz
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.222198300.0000000005ED3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.222531315.0000000005EDA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmC
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmp, Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.220053478.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ld&
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/g
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/J
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/x
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.218577225.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tendJ
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.218577225.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/watg
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.223450253.0000000005ECC000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmp, Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.214009189.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.214832365.0000000005EDB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc$
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221493033.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221493033.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dev
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORY
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            .NET source code contains very large stringsShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, LogIn.csLong String: Length: 13656
            Source: OEpDLNVZW.exe.0.dr, LogIn.csLong String: Length: 13656
            Source: 0.0.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.a70000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.a70000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 8.0.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.8c0000.0.unpack, LogIn.csLong String: Length: 13656
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: initial sampleStatic PE information: Filename: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_0124C2B00_2_0124C2B0
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_012499900_2_01249990
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09218CF80_2_09218CF8
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_0921DE180_2_0921DE18
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09210D900_2_09210D90
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09212C490_2_09212C49
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09212C580_2_09212C58
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09218CE80_2_09218CE8
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09212EA80_2_09212EA8
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09212E990_2_09212E99
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: OEpDLNVZW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000000.209596100.0000000000AF4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameX509KeyStorageFlags.exe6 vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.260816145.00000000079E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.261328294.0000000009190000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.260926149.0000000007A40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.260926149.0000000007A40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.261213908.0000000008FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253583069.0000000002E91000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253583069.0000000002E91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000008.00000000.250360557.0000000000944000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameX509KeyStorageFlags.exe6 vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000008.00000003.260589079.00000000010D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeBinary or memory string: OriginalFilenameX509KeyStorageFlags.exe6 vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: OEpDLNVZW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: OEpDLNVZW.exe.0.dr, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.0.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.a70000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.a70000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 8.0.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.8c0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile created: C:\Users\user\AppData\Roaming\OEpDLNVZW.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{4ebd7928-1b04-4f77-ac2c-9f852e49f127}
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\XYYBzetgSVJBwiDmunJxWrqzcUC
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8B36.tmpJump to behavior
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeReversingLabs: Detection: 10%
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile read: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe 'C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess created: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: OEpDLNVZW.exe.0.dr, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.a70000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.a70000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 8.0.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.8c0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09216236 push es; iretd 0_2_09216237
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_092165F4 push eax; iretd 0_2_092165F7
            Source: initial sampleStatic PE information: section name: .text entropy: 7.49616773299
            Source: initial sampleStatic PE information: section name: .text entropy: 7.49616773299
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile created: \skilmark co. ltd - purchase order 022021.pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile created: \skilmark co. ltd - purchase order 022021.pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile created: C:\Users\user\AppData\Roaming\OEpDLNVZW.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile opened: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.253583069.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORY
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.2ec6bf0.1.raw.unpack, type: UNPACKEDPE
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWindow / User API: threadDelayed 6882Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWindow / User API: threadDelayed 2219Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWindow / User API: foregroundWindowGot 638Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWindow / User API: foregroundWindowGot 768Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe TID: 6428Thread sleep time: -104261s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe TID: 6444Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe TID: 5712Thread sleep time: -13835058055282155s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Injects a PE file into a foreign processes