Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Skilmark Co. Ltd - Purchase Order 022021.pdf.exe

Overview

General Information

Sample Name:Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
Analysis ID:356502
MD5:d765dcbdabed2ed1dd0fdd8800f221ed
SHA1:be68fc678cca6434577d7af59abf129569ab7b47
SHA256:d2693c3162e3ea906bf7fc546a07985a3bf55bbfb78f52015265cf7140eed31f
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Skilmark Co. Ltd - Purchase Order 022021.pdf.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe' MD5: D765DCBDABED2ED1DD0FDD8800F221ED)
    • schtasks.exe (PID: 7004 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x40f8d:$x1: NanoCore.ClientPluginHost
  • 0x737ad:$x1: NanoCore.ClientPluginHost
  • 0x40fca:$x2: IClientNetworkHost
  • 0x737ea:$x2: IClientNetworkHost
  • 0x44afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x7731d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x40cf5:$a: NanoCore
    • 0x40d05:$a: NanoCore
    • 0x40f39:$a: NanoCore
    • 0x40f4d:$a: NanoCore
    • 0x40f8d:$a: NanoCore
    • 0x73515:$a: NanoCore
    • 0x73525:$a: NanoCore
    • 0x73759:$a: NanoCore
    • 0x7376d:$a: NanoCore
    • 0x737ad:$a: NanoCore
    • 0x40d54:$b: ClientPlugin
    • 0x40f56:$b: ClientPlugin
    • 0x40f96:$b: ClientPlugin
    • 0x73574:$b: ClientPlugin
    • 0x73776:$b: ClientPlugin
    • 0x737b6:$b: ClientPlugin
    • 0x40e7b:$c: ProjectData
    • 0x7369b:$c: ProjectData
    • 0x41882:$d: DESCrypto
    • 0x740a2:$d: DESCrypto
    • 0x4924e:$e: KeepAlive
    00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.253583069.0000000002E91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 4 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.2ec6bf0.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1018d:$x1: NanoCore.ClientPluginHost
          • 0x429ad:$x1: NanoCore.ClientPluginHost
          • 0x101ca:$x2: IClientNetworkHost
          • 0x429ea:$x2: IClientNetworkHost
          • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          • 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xff05:$x1: NanoCore Client.exe
          • 0x42725:$x1: NanoCore Client.exe
          • 0x1018d:$x2: NanoCore.ClientPluginHost
          • 0x429ad:$x2: NanoCore.ClientPluginHost
          • 0x117c6:$s1: PluginCommand
          • 0x43fe6:$s1: PluginCommand
          • 0x117ba:$s2: FileCommand
          • 0x43fda:$s2: FileCommand
          • 0x1266b:$s3: PipeExists
          • 0x44e8b:$s3: PipeExists
          • 0x18422:$s4: PipeCreated
          • 0x4ac42:$s4: PipeCreated
          • 0x101b7:$s5: IClientLoggingHost
          • 0x429d7:$s5: IClientLoggingHost
          0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
            • 0xfef5:$a: NanoCore
            • 0xff05:$a: NanoCore
            • 0x10139:$a: NanoCore
            • 0x1014d:$a: NanoCore
            • 0x1018d:$a: NanoCore
            • 0x42715:$a: NanoCore
            • 0x42725:$a: NanoCore
            • 0x42959:$a: NanoCore
            • 0x4296d:$a: NanoCore
            • 0x429ad:$a: NanoCore
            • 0xff54:$b: ClientPlugin
            • 0x10156:$b: ClientPlugin
            • 0x10196:$b: ClientPlugin
            • 0x42774:$b: ClientPlugin
            • 0x42976:$b: ClientPlugin
            • 0x429b6:$b: ClientPlugin
            • 0x1007b:$c: ProjectData
            • 0x4289b:$c: ProjectData
            • 0x10a82:$d: DESCrypto
            • 0x432a2:$d: DESCrypto
            • 0x1844e:$e: KeepAlive
            Click to see the 4 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, ProcessId: 7048, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe' , ParentImage: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, ParentProcessId: 6424, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp', ProcessId: 7004
            Sigma detected: Suspicious Double ExtensionShow sources
            Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, CommandLine: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, CommandLine|base64offset|contains: ., Image: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, NewProcessName: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe' , ParentImage: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, ParentProcessId: 6424, ProcessCommandLine: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, ProcessId: 7048

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\OEpDLNVZW.exeReversingLabs: Detection: 10%
            Multi AV Scanner detection for submitted fileShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeReversingLabs: Detection: 10%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORY
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\OEpDLNVZW.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeJoe Sandbox ML: detected

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0921F590
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0921F880
            Source: global trafficTCP traffic: 192.168.2.3:49708 -> 45.137.22.36:4837
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.36
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253583069.0000000002E91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219943805.0000000005F05000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219952811.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlu
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.220665177.0000000005EFE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.220995450.0000000005ED9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlh
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221721195.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com?
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221721195.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.224206853.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF0
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221721195.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTFJ
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221721195.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comM.TTF
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221493033.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.224206853.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceva
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.223872505.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoituJ
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.223872505.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtq
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.214576676.0000000005EDB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic-
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.216202308.0000000005EC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/4
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.216253909.0000000005EC6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/I
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.215838737.0000000005ECE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.215993988.0000000005EC7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnz
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.222198300.0000000005ED3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.222531315.0000000005EDA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmC
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmp, Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.220053478.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ld&
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/g
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/J
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/x
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.218577225.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tendJ
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.218577225.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/watg
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.223450253.0000000005ECC000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmp, Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.214009189.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.214832365.0000000005EDB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc$
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221493033.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221493033.0000000005EC5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dev
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORY
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            .NET source code contains very large stringsShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, LogIn.csLong String: Length: 13656
            Source: OEpDLNVZW.exe.0.dr, LogIn.csLong String: Length: 13656
            Source: 0.0.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.a70000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.a70000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 8.0.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.8c0000.0.unpack, LogIn.csLong String: Length: 13656
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: initial sampleStatic PE information: Filename: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_0124C2B00_2_0124C2B0
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_012499900_2_01249990
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09218CF80_2_09218CF8
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_0921DE180_2_0921DE18
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09210D900_2_09210D90
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09212C490_2_09212C49
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09212C580_2_09212C58
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09218CE80_2_09218CE8
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09212EA80_2_09212EA8
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09212E990_2_09212E99
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: OEpDLNVZW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000000.209596100.0000000000AF4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameX509KeyStorageFlags.exe6 vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.260816145.00000000079E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.261328294.0000000009190000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.260926149.0000000007A40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.260926149.0000000007A40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.261213908.0000000008FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253583069.0000000002E91000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253583069.0000000002E91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000008.00000000.250360557.0000000000944000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameX509KeyStorageFlags.exe6 vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000008.00000003.260589079.00000000010D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeBinary or memory string: OriginalFilenameX509KeyStorageFlags.exe6 vs Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: OEpDLNVZW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: OEpDLNVZW.exe.0.dr, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.0.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.a70000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.a70000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 8.0.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.8c0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile created: C:\Users\user\AppData\Roaming\OEpDLNVZW.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{4ebd7928-1b04-4f77-ac2c-9f852e49f127}
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\XYYBzetgSVJBwiDmunJxWrqzcUC
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8B36.tmpJump to behavior
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeReversingLabs: Detection: 10%
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile read: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe 'C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess created: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: OEpDLNVZW.exe.0.dr, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.a70000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.a70000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 8.0.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.8c0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_09216236 push es; iretd 0_2_09216237
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCode function: 0_2_092165F4 push eax; iretd 0_2_092165F7
            Source: initial sampleStatic PE information: section name: .text entropy: 7.49616773299
            Source: initial sampleStatic PE information: section name: .text entropy: 7.49616773299
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile created: \skilmark co. ltd - purchase order 022021.pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile created: \skilmark co. ltd - purchase order 022021.pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile created: C:\Users\user\AppData\Roaming\OEpDLNVZW.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile opened: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.253583069.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORY
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.2ec6bf0.1.raw.unpack, type: UNPACKEDPE
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWindow / User API: threadDelayed 6882Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWindow / User API: threadDelayed 2219Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWindow / User API: foregroundWindowGot 638Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWindow / User API: foregroundWindowGot 768Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe TID: 6428Thread sleep time: -104261s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe TID: 6444Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe TID: 5712Thread sleep time: -13835058055282155s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeMemory written: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeProcess created: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORY
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Detected Nanocore RatShow sources
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000008.00000003.260589079.00000000010D7000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424, type: MEMORY
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.4143e00.4.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection111Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information31Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Skilmark Co. Ltd - Purchase Order 022021.pdf.exe11%ReversingLabsWin32.Trojan.Wacatac
            Skilmark Co. Ltd - Purchase Order 022021.pdf.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\OEpDLNVZW.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\OEpDLNVZW.exe11%ReversingLabsWin32.Trojan.Wacatac

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htmC0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/J0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/watg0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.fontbureau.comoituJ0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cnn0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/00%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
            http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
            http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0ld&0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.fontbureau.comF00%Avira URL Cloudsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fontbureau.comalsd0%URL Reputationsafe
            http://www.fontbureau.comalsd0%URL Reputationsafe
            http://www.fontbureau.comalsd0%URL Reputationsafe
            http://www.fonts.comic-0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/T0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/tendJ0%Avira URL Cloudsafe
            http://www.fontbureau.comceva0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/I0%Avira URL Cloudsafe
            http://www.fontbureau.comtq0%Avira URL Cloudsafe
            http://www.founder.com.cn/cnz0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/C0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/oi0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/?0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/x0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.ascendercorp.com/typedesigners.htmlu0%Avira URL Cloudsafe
            http://www.urwpp.dev0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
            http://www.fontbureau.comI.TTFJ0%Avira URL Cloudsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/g0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.fontbureau.com/designersGSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                  		high
                  http://www.galapagosdesign.com/staff/dennis.htmCSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.222531315.0000000005EDA000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/jp/JSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/watgSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.218577225.0000000005EC5000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comoituJSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.223872505.0000000005EC3000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmpfalse
                      		high
                      http://www.sajatypeworks.comSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmp, Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.214009189.0000000005EC3000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cTheSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnnSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.215838737.0000000005ECE000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/0Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleaseSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.ascendercorp.com/typedesigners.htmlSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219943805.0000000005F05000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Y0ld&Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fonts.comSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.sandoll.co.krSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPleaseSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221493033.0000000005EC5000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.253583069.0000000002E91000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comF0Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.224206853.0000000005EC5000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sakkal.comSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comalsdSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221493033.0000000005EC5000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com?Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221721195.0000000005EC7000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fonts.comic-Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.214576676.0000000005EDB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.apache.org/licenses/LICENSE-2.0Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.galapagosdesign.com/Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.222198300.0000000005ED3000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlhSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.220995450.0000000005ED9000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comFSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221721195.0000000005EC7000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/TSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/tendJSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.218577225.0000000005EC5000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comcevaSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.224206853.0000000005EC5000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/ISkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.216253909.0000000005EC6000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comtqSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.223872505.0000000005EC3000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.cn/cnzSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.215993988.0000000005EC7000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/CSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/oiSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/?Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.220053478.0000000005EC5000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/xSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comlSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.ascendercorp.com/typedesigners.htmluSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219952811.0000000005EC5000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.devSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221493033.0000000005EC5000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cnSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/xSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comI.TTFJSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221721195.0000000005EC7000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.monotype.Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.223450253.0000000005ECC000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmp, Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/nSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000002.259016529.00000000070D2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/gSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.219183506.0000000005EC5000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.comM.TTFSkilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.221721195.0000000005EC7000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cn/4Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.216202308.0000000005EC8000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.220665177.0000000005EFE000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.tiro.comc$Skilmark Co. Ltd - Purchase Order 022021.pdf.exe, 00000000.00000003.214832365.0000000005EDB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          45.137.22.36
                                          		unknownNetherlands
                                          		51447ROOTLAYERNETNLfalse

                                          General Information

                                          Joe Sandbox Version:31.0.0 Emerald
                                          Analysis ID:356502
                                          Start date:23.02.2021
                                          Start time:09:03:50
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 7m 34s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:30
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@6/8@0/1
                                          EGA Information:Failed
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 86%
                                          • Number of executed functions: 37
                                          • Number of non-executed functions: 7
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/356502/sample/Skilmark Co. Ltd - Purchase Order 022021.pdf.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          09:04:50API Interceptor915x Sleep call for process: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          45.137.22.36Jagtap Trading - order #JEW-39-16.02.2021.exeGet hashmaliciousBrowse

                                            Domains

                                            No context

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            ROOTLAYERNETNLSKM_C3350191107102300.exeGet hashmaliciousBrowse
                                            • 185.222.58.152
                                            Jagtap Trading - order #JEW-39-16.02.2021.exeGet hashmaliciousBrowse
                                            • 45.137.22.36
                                            AKBANK E-DEKONT.exeGet hashmaliciousBrowse
                                            • 45.137.22.52
                                            New Order.exeGet hashmaliciousBrowse
                                            • 45.137.22.102
                                            New Order.exeGet hashmaliciousBrowse
                                            • 45.137.22.102
                                            LnkxrWO6yvd9qaJ.exeGet hashmaliciousBrowse
                                            • 185.222.58.156
                                            tuesdacrypted.exeGet hashmaliciousBrowse
                                            • 185.222.57.68
                                            000009000000900.exeGet hashmaliciousBrowse
                                            • 45.137.22.52
                                            TT.exeGet hashmaliciousBrowse
                                            • 185.222.57.213
                                            Cotizaci#U00f3n de factura.exeGet hashmaliciousBrowse
                                            • 45.137.22.52
                                            kart-009000000..pdf...exeGet hashmaliciousBrowse
                                            • 45.137.22.52
                                            PO-OIOI09000.exeGet hashmaliciousBrowse
                                            • 45.137.22.52
                                            090000090000-090.exeGet hashmaliciousBrowse
                                            • 45.137.22.52
                                            kart gecmisi.exeGet hashmaliciousBrowse
                                            • 45.137.22.52
                                            000000000900R.exeGet hashmaliciousBrowse
                                            • 45.137.22.52
                                            0000000000009000.exeGet hashmaliciousBrowse
                                            • 45.137.22.52
                                            090887000008000000.exeGet hashmaliciousBrowse
                                            • 45.137.22.52
                                            PURCHASE ORDER098090.exeGet hashmaliciousBrowse
                                            • 45.137.22.52
                                            rawwwwwwwcrypted.exeGet hashmaliciousBrowse
                                            • 185.222.57.68
                                            REMOUOOO9O9.exeGet hashmaliciousBrowse
                                            • 45.137.22.52

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe.log
                                            Process:C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):1314
                                            Entropy (8bit):5.350128552078965
                                            Encrypted:false
                                            SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                            MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                            SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                            SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                            SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                            C:\Users\user\AppData\Local\Temp\tmp8B36.tmp
                                            Process:C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1642
                                            Entropy (8bit):5.196417458630448
                                            Encrypted:false
                                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBCtn:cbh47TlNQ//rydbz9I3YODOLNdq3+
                                            MD5:D9D1C867D06A3C4424E37DE3E7433EAE
                                            SHA1:91B9B926B8EB63ABA169829EC238D0A95F9C3127
                                            SHA-256:94A1ECAAC917C26B04D29202121DEDDFCEB81DA3D6F667B81CF4F33A4E2F1017
                                            SHA-512:7B7CE1293379259E0DC8E46D60EC5BA90EE2AAE126223832AF4592142B1D632ED6CEAE0530A577070CA63945BA6831290442C7B45550724642B962ADC5C6BDEF
                                            Malicious:true
                                            Reputation:low
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                            Process:C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1856
                                            Entropy (8bit):7.024371743172393
                                            Encrypted:false
                                            SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
                                            MD5:838CD9DBC78EA45A5406EAE23962086D
                                            SHA1:C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
                                            SHA-256:6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
                                            SHA-512:F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
                                            Malicious:false
                                            Reputation:low
                                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                            Process:C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                            File Type:PGP\011Secret Key -
                                            Category:dropped
                                            Size (bytes):8
                                            Entropy (8bit):2.75
                                            Encrypted:false
                                            SSDEEP:3:9a5ft:OF
                                            MD5:94B9CF650DCB8C2D129D5E8B1D940170
                                            SHA1:5C0A796FEBE9520A98018D1F36731E35DBAFCE62
                                            SHA-256:84F05EE5CD6B34BDB8092DFFC6DF97DFD0159089282BE74E80AF8CED0CE86125
                                            SHA-512:9301AE7A595C4C482E3446908B5A4DD1E1E8D3F7D287014A553082D07C211BF27F3B0359B94C6F3EBF9B7E2EAFD26606E966EC8D4FC34407FF1A4E22891A69E2
                                            Malicious:true
                                            Reputation:low
                                            Preview: .-?)...H
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                            Process:C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):40
                                            Entropy (8bit):5.153055907333276
                                            Encrypted:false
                                            SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                            MD5:4E5E92E2369688041CC82EF9650EDED2
                                            SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                            SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                            SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                            Process:C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):327432
                                            Entropy (8bit):7.99938831605763
                                            Encrypted:true
                                            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                            C:\Users\user\AppData\Roaming\OEpDLNVZW.exe
                                            Process:C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):729088
                                            Entropy (8bit):7.373755208458107
                                            Encrypted:false
                                            SSDEEP:12288:xClJbGEIGv5dKbr/Yy1V5LYRs5dCJ/ninKUGTSZ+gFQ6CYjcMfNsKcRJN8P:OJ7IogPHZY8KfTScKNjcMfXcOP
                                            MD5:D765DCBDABED2ED1DD0FDD8800F221ED
                                            SHA1:BE68FC678CCA6434577D7AF59ABF129569AB7B47
                                            SHA-256:D2693C3162E3EA906BF7FC546A07985A3BF55BBFB78F52015265CF7140EED31F
                                            SHA-512:F4345F41A035C8D4502411A36001C4EE5A02D9F85F3FE00FC5DC97A7860470D545F9C0C1C1EEC1633ADCC391C1A326D6B4D3833E60C66A2DE50CD7D170D335C2
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 11%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...PH4`..............P.............."... ...@....@.. ....................................@..................................!..O....@..D....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................!......H........x..$S...............U...........................................0............(....(..........(.....o ....*.....................(!......("......(#......($......(%....*N..(....o....(&....*&..('....*.s(........s)........s*........s+........s,........*....0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+..*.0......
                                            C:\Users\user\AppData\Roaming\OEpDLNVZW.exe:Zone.Identifier
                                            Process:C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview: [ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.373755208458107
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                            File size:729088
                                            MD5:d765dcbdabed2ed1dd0fdd8800f221ed
                                            SHA1:be68fc678cca6434577d7af59abf129569ab7b47
                                            SHA256:d2693c3162e3ea906bf7fc546a07985a3bf55bbfb78f52015265cf7140eed31f
                                            SHA512:f4345f41a035c8d4502411a36001c4ee5a02d9f85f3fe00fc5dc97a7860470d545f9c0c1c1eec1633adcc391c1a326d6b4d3833e60c66a2de50cd7d170d335c2
                                            SSDEEP:12288:xClJbGEIGv5dKbr/Yy1V5LYRs5dCJ/ninKUGTSZ+gFQ6CYjcMfNsKcRJN8P:OJ7IogPHZY8KfTScKNjcMfXcOP
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...PH4`..............P.............."... ...@....@.. ....................................@................................

                                            File Icon

                                            Icon Hash:e4a65d44a4aca8e4

                                            Static PE Info

                                            General

                                            Entrypoint:0x482206
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x60344850 [Tue Feb 23 00:12:00 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x821b40x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x31644.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x8020c0x80400False0.77356313962data7.49616773299IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x840000x316440x31800False0.516867897727data6.6220959465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xb60000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_ICON0x842b00x8bf4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                            RT_ICON0x8cea40x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0x9d6cc0x94a8data
                                            RT_ICON0xa6b740x5488data
                                            RT_ICON0xabffc0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 57599, next used block 4278648832
                                            RT_ICON0xb02240x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0xb27cc0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 718597314, next used block 33554431
                                            RT_ICON0xb38740x988data
                                            RT_ICON0xb41fc0x468GLS_BINARY_LSB_FIRST
                                            RT_GROUP_ICON0xb46640x84data
                                            RT_VERSION0xb46e80x34cdata
                                            RT_MANIFEST0xb4a340xc0fXML 1.0 document, UTF-8 Unicode (with BOM) text

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright 2018
                                            Assembly Version1.0.0.0
                                            InternalNameX509KeyStorageFlags.exe
                                            FileVersion1.0.0.0
                                            CompanyName
                                            LegalTrademarks
                                            Comments
                                            ProductNameRegisterVB
                                            ProductVersion1.0.0.0
                                            FileDescriptionRegisterVB
                                            OriginalFilenameX509KeyStorageFlags.exe

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Feb 23, 2021 09:05:04.595701933 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:04.643071890 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.643220901 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:04.692361116 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:04.759031057 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.759613037 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.769243002 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:04.816570997 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.837476015 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:04.908401966 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.930315971 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:04.939142942 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.939169884 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.939187050 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.939203978 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.939217091 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.939294100 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:04.939311028 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:04.985728025 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.985759020 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.985774994 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.985790014 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.985804081 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.985825062 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.985841990 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.985858917 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.985863924 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:04.985872984 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:04.985888958 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:04.985919952 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.032422066 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032444000 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032460928 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032478094 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032496929 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032505989 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.032516003 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032533884 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032541990 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.032551050 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032568932 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032569885 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.032586098 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032604933 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032623053 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032641888 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032644033 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.032659054 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.032660961 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032669067 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.032680035 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032692909 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.032766104 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.079194069 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079221010 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079236984 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079252005 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079268932 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079288006 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079308033 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079328060 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079344034 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079355955 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.079361916 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079381943 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079401016 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079412937 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.079418898 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079428911 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.079437017 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079457045 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079476118 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079493046 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079509020 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079514027 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.079525948 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079544067 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079559088 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079564095 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.079576969 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079597950 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079607964 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.079617023 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.079617977 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079634905 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079651117 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079667091 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079683065 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079699039 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079715967 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079726934 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.079734087 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.079754114 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.079917908 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.126466036 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.126535892 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.126578093 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.126626015 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.126669884 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.126698017 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.126709938 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.126730919 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.126745939 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.126755953 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.126797915 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.126837015 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.126876116 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.126909971 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.126914978 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.126964092 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.126974106 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.126990080 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.127008915 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127048969 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127087116 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127110004 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.127126932 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127166986 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127206087 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127240896 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.127243042 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127268076 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.127294064 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127336979 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127365112 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.127374887 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127415895 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127454996 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127465010 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.127491951 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.127494097 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127535105 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127573013 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127589941 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.127623081 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127665997 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127692938 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.127706051 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127748966 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127788067 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127789974 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.127826929 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127832890 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.127870083 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127912998 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.127932072 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.127962112 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128005981 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128035069 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.128043890 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128083944 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128122091 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128142118 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.128150940 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.128160954 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128200054 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128238916 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128288031 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128325939 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.128330946 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128341913 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.128365993 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128391981 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128417015 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.128437996 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128489017 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128521919 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.128557920 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.175342083 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175412893 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175457001 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175497055 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175527096 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.175535917 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175548077 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.175576925 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175627947 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175657988 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.175673008 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175713062 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175755978 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175796032 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175833941 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175857067 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.175872087 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175910950 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175959110 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.175985098 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.175995111 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.176002026 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176043034 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176063061 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.176074982 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176105022 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.176114082 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176153898 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176192045 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176229954 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176278114 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176321030 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176358938 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176388979 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.176398039 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.176398039 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176439047 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176476955 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176516056 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176533937 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.176553965 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.176553965 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176603079 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176646948 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176686049 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176724911 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176743031 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.176767111 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.176768064 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176808119 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176846981 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176873922 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.176882982 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.176886082 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176937103 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.176980972 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.177018881 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.177046061 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.177057028 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.177082062 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.177098036 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.177135944 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.177160025 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.177175045 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.177211046 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.177216053 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.177265882 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.177301884 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.177309990 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.177339077 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.177403927 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.224219084 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224292994 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224335909 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224375963 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224416018 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224442005 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.224456072 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224459887 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.224497080 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224548101 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224591970 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224617004 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.224631071 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224670887 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224709034 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224737883 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.224760056 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224800110 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224838018 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224864006 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.224869013 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.224877119 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224916935 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.224955082 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225003958 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225048065 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225053072 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.225086927 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225150108 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225193024 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225217104 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.225228071 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.225230932 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225270033 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225308895 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225346088 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225378036 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.225410938 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225467920 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225533009 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225564003 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.225564957 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225596905 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.225608110 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225646973 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225677013 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225716114 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225755930 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.225766897 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225810051 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225850105 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225853920 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.225892067 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225930929 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.225959063 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.225969076 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.226008892 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.226047039 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.226047993 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.226100922 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.226145029 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.226185083 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.226223946 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.226258993 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.226264000 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.226269007 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.226294994 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.226304054 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.226334095 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.226566076 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.272918940 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.272985935 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273026943 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273056984 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.273067951 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273109913 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273144007 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.273149014 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273181915 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273224115 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273274899 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273319006 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273359060 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273436069 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273443937 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.273458004 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.273478985 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273520947 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273557901 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273591995 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.273597002 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273638964 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273673058 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.273689032 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273732901 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273772001 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273804903 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.273811102 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273813963 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.273850918 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273890018 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273930073 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.273968935 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274015903 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274054050 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.274060011 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274066925 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.274100065 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274138927 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.274138927 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274190903 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274228096 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274266958 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274266958 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.274307013 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274354935 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274379969 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.274389982 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.274398088 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274436951 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274476051 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274514914 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274553061 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274593115 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274627924 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.274630070 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274641991 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.274678946 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274719954 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.274733067 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274772882 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274820089 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274861097 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.274863005 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274903059 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274943113 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274972916 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.274982929 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.274986029 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.275022030 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275060892 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275098085 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275146961 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275192022 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275227070 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.275232077 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275238037 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.275262117 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275301933 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275332928 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.275338888 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275378942 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275418043 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275465012 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275510073 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275547981 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275582075 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.275594950 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275619030 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275669098 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275727987 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275768042 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275774956 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.275819063 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275820971 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.275863886 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:05.275897026 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:05.276195049 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:06.061796904 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:06.132149935 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:06.720668077 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:06.789170027 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:06.911875963 CET48374970845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:06.963820934 CET497084837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:11.149399996 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:11.197556973 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:11.198050022 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:11.211735010 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:11.278429031 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:11.280165911 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:11.280632973 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:11.327445984 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:11.328768969 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:11.398610115 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:11.506299019 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:11.508402109 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:11.554955959 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:11.580665112 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:11.628644943 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:11.628762007 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:11.682137012 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:11.751801014 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:11.786261082 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:11.854696989 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:11.854926109 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:11.917069912 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:11.994323015 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:12.060831070 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:12.951410055 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:13.013969898 CET48374971645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:13.996260881 CET497164837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:18.024059057 CET497204837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:18.072004080 CET48374972045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:18.072097063 CET497204837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:18.072762012 CET497204837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:18.140028954 CET48374972045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:18.140141964 CET497204837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:18.207163095 CET48374972045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:18.207254887 CET497204837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:18.255439997 CET48374972045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:18.267714024 CET497204837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:18.336071014 CET48374972045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:18.461487055 CET48374972045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:18.462388992 CET497204837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:18.508907080 CET48374972045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:18.510015965 CET497204837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:18.557250023 CET48374972045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:18.557344913 CET497204837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:18.604037046 CET48374972045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:18.819940090 CET497204837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:19.117121935 CET497204837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:19.194467068 CET48374972045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:20.086308956 CET497204837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:24.105863094 CET497234837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:24.152571917 CET48374972345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:24.152698040 CET497234837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:24.153194904 CET497234837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:24.219913006 CET48374972345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:24.228410959 CET48374972345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:24.228820086 CET497234837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:24.277017117 CET48374972345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:24.278485060 CET497234837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:24.346963882 CET48374972345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:24.476262093 CET48374972345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:24.477262020 CET497234837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:24.524056911 CET48374972345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:24.530846119 CET497234837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:24.577765942 CET48374972345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:24.577915907 CET497234837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:24.624584913 CET48374972345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:24.820415974 CET497234837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:24.955847025 CET48374972345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:25.007910013 CET497234837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:25.087016106 CET497234837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:25.171094894 CET48374972345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:26.118227959 CET497234837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:30.134857893 CET497274837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:30.181379080 CET48374972745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:30.182852030 CET497274837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:30.183526993 CET497274837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:30.252131939 CET48374972745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:30.253376007 CET48374972745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:30.253700972 CET497274837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:30.300462961 CET48374972745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:30.304435968 CET497274837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:30.369240999 CET48374972745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:30.489798069 CET48374972745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:30.492444992 CET497274837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:30.539028883 CET48374972745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:30.541328907 CET497274837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:30.588157892 CET48374972745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:30.591042042 CET497274837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:30.637819052 CET48374972745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:30.680291891 CET497274837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:31.149481058 CET497274837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:31.215977907 CET48374972745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:32.149796009 CET497274837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:36.166444063 CET497284837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:36.213090897 CET48374972845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:36.213253975 CET497284837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:36.213942051 CET497284837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:36.281367064 CET48374972845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:36.285873890 CET48374972845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:36.286309958 CET497284837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:36.333215952 CET48374972845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:36.336899996 CET497284837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:36.403448105 CET48374972845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:36.521948099 CET48374972845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:36.524777889 CET497284837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:36.571248055 CET48374972845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:36.572789907 CET497284837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:36.619513988 CET48374972845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:36.619659901 CET497284837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:36.666372061 CET48374972845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:36.712044954 CET497284837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:37.181768894 CET497284837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:37.252202988 CET48374972845.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:38.182060003 CET497284837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:42.198329926 CET497304837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:42.245594978 CET48374973045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:42.246341944 CET497304837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:42.246988058 CET497304837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:42.314707041 CET48374973045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:42.322612047 CET497304837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:42.371037006 CET48374973045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:42.372790098 CET497304837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:42.438641071 CET48374973045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:42.552472115 CET48374973045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:42.553503990 CET497304837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:42.600174904 CET48374973045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:42.602699995 CET497304837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:42.650584936 CET48374973045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:42.650890112 CET497304837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:42.701678991 CET48374973045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:42.743819952 CET497304837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:43.182214975 CET497304837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:43.249207973 CET48374973045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:44.209080935 CET497304837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:48.214297056 CET497314837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:48.263313055 CET48374973145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:48.263405085 CET497314837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:48.264081001 CET497314837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:48.330195904 CET48374973145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:48.334747076 CET48374973145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:48.335120916 CET497314837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:48.382129908 CET48374973145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:48.384779930 CET497314837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:48.462109089 CET48374973145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:48.581310987 CET48374973145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:48.582664967 CET497314837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:48.629168987 CET48374973145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:48.643951893 CET497314837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:48.690901995 CET48374973145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:48.691067934 CET497314837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:48.737802029 CET48374973145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:48.737943888 CET497314837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:48.808758020 CET48374973145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:49.184060097 CET497314837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:49.247224092 CET48374973145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:49.964982033 CET48374973145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:50.010462999 CET497314837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:50.198198080 CET497314837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:54.214895010 CET497374837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:54.261487007 CET48374973745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:54.262672901 CET497374837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:54.263431072 CET497374837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:54.331485987 CET48374973745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:54.331769943 CET497374837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:54.378448009 CET48374973745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:54.387979984 CET497374837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:54.459094048 CET48374973745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:54.568830013 CET48374973745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:54.571372032 CET497374837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:54.618351936 CET48374973745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:54.622325897 CET497374837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:54.669044971 CET48374973745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:54.669233084 CET497374837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:54.715934038 CET48374973745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:54.760433912 CET497374837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:54.769521952 CET497374837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:54.836113930 CET48374973745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:55.183250904 CET497374837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:05:55.261921883 CET48374973745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:05:56.198599100 CET497374837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:00.215461969 CET497434837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:00.262006044 CET48374974345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:00.262113094 CET497434837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:00.262932062 CET497434837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:00.329790115 CET48374974345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:00.330122948 CET497434837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:00.377125025 CET48374974345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:00.378954887 CET497434837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:00.442467928 CET48374974345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:00.580867052 CET48374974345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:00.608704090 CET497434837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:00.655165911 CET48374974345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:00.656450987 CET497434837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:00.703310966 CET48374974345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:00.703442097 CET497434837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:00.750579119 CET48374974345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:00.764683962 CET497434837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:00.831301928 CET48374974345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:01.183433056 CET497434837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:01.250024080 CET48374974345.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:02.200084925 CET497434837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:06.238260031 CET497444837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:06.284750938 CET48374974445.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:06.284856081 CET497444837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:06.297585964 CET497444837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:06.363820076 CET48374974445.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:06.364130974 CET497444837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:06.410852909 CET48374974445.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:06.426215887 CET497444837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:06.501969099 CET48374974445.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:06.600596905 CET48374974445.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:06.602058887 CET497444837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:06.648633957 CET48374974445.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:06.651186943 CET497444837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:06.698128939 CET48374974445.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:06.698250055 CET497444837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:06.744991064 CET48374974445.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:06.792640924 CET497444837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:06.827505112 CET497444837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:06.894661903 CET48374974445.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:07.184653044 CET497444837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:07.251104116 CET48374974445.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:08.199546099 CET497444837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:12.216494083 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:12.263125896 CET48374974545.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:12.263237000 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:12.263895035 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:12.325825930 CET48374974545.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:12.347990990 CET48374974545.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:12.368372917 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:12.415431976 CET48374974545.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:12.464975119 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:12.508234024 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:12.579221964 CET48374974545.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:12.678108931 CET48374974545.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:12.701996088 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:12.748527050 CET48374974545.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:12.767215014 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:12.814006090 CET48374974545.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:12.818672895 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:12.865528107 CET48374974545.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:12.897305012 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:12.964160919 CET48374974545.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:13.200489998 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:13.269680023 CET48374974545.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:13.989572048 CET48374974545.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:14.043231010 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:14.200282097 CET497454837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:18.628773928 CET497464837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:18.677860975 CET48374974645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:18.677973032 CET497464837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:18.793204069 CET497464837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:18.859812021 CET48374974645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:18.864083052 CET497464837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:18.912847996 CET48374974645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:18.919055939 CET497464837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:18.991297960 CET48374974645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:19.099248886 CET48374974645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:19.133637905 CET497464837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:19.180149078 CET48374974645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:19.181437969 CET497464837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:19.232194901 CET48374974645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:19.232287884 CET497464837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:19.279762983 CET48374974645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:19.324949980 CET497464837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:19.591288090 CET497464837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:19.658400059 CET48374974645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:20.601268053 CET497464837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:20.675210953 CET48374974645.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:21.591397047 CET497464837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:25.608293056 CET497474837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:25.655050039 CET48374974745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:25.655217886 CET497474837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:25.656034946 CET497474837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:25.729327917 CET48374974745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:25.732805967 CET48374974745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:25.738733053 CET497474837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:25.787132025 CET48374974745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:25.788600922 CET497474837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:25.860460997 CET48374974745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:25.974142075 CET48374974745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:25.976866007 CET497474837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:26.023431063 CET48374974745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:26.024806976 CET497474837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:26.071716070 CET48374974745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:26.071939945 CET497474837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:26.118702888 CET48374974745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:26.169243097 CET497474837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:26.591907024 CET497474837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:26.659252882 CET48374974745.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:27.591913939 CET497474837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:31.609021902 CET497504837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:31.655452013 CET48374975045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:31.655558109 CET497504837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:31.656021118 CET497504837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:31.720840931 CET48374975045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:31.722619057 CET48374975045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:31.722857952 CET497504837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:31.769630909 CET48374975045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:31.771935940 CET497504837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:31.842854023 CET48374975045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:31.945755005 CET48374975045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:31.997896910 CET497504837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:32.004091024 CET497504837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:32.045222044 CET48374975045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:32.085990906 CET48374975045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:32.086190939 CET497504837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:32.133096933 CET48374975045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:32.185466051 CET497504837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:32.233521938 CET48374975045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:32.279174089 CET497504837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:32.592304945 CET497504837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:32.672092915 CET48374975045.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:33.592377901 CET497504837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:37.609285116 CET497514837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:37.655936003 CET48374975145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:37.656061888 CET497514837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:37.656702042 CET497514837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:37.723543882 CET48374975145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:37.724054098 CET497514837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:37.770984888 CET48374975145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:37.772519112 CET497514837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:37.838958979 CET48374975145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:37.959532976 CET48374975145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:37.960652113 CET497514837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:38.007193089 CET48374975145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:38.008481979 CET497514837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:38.054965973 CET48374975145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:38.055073023 CET497514837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:38.101511955 CET48374975145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:38.154671907 CET497514837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:38.201244116 CET48374975145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:38.248392105 CET497514837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:38.624216080 CET497514837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:38.685767889 CET48374975145.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:39.592803001 CET497514837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:43.609848976 CET497524837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:43.656517982 CET48374975245.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:43.656666040 CET497524837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:43.657404900 CET497524837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:43.729629040 CET48374975245.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:43.729949951 CET497524837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:43.776952028 CET48374975245.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:43.778577089 CET497524837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:43.844362974 CET48374975245.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:43.959568977 CET48374975245.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:43.960644960 CET497524837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:44.007822990 CET48374975245.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:44.009995937 CET497524837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:44.058893919 CET48374975245.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:44.059092045 CET497524837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:44.105834961 CET48374975245.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:44.155191898 CET497524837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:44.594217062 CET497524837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:44.659549952 CET48374975245.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:47.007946968 CET48374975245.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:47.061628103 CET497524837192.168.2.345.137.22.36
                                            Feb 23, 2021 09:06:48.704466105 CET48374975245.137.22.36192.168.2.3
                                            Feb 23, 2021 09:06:48.749591112 CET497524837192.168.2.345.137.22.36

                                            Code Manipulations

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424 Parent PID: 5608

                                            General

                                            Start time:09:04:41
                                            Start date:23/02/2021
                                            Path:C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe'
                                            Imagebase:0xa70000
                                            File size:729088 bytes
                                            MD5 hash:D765DCBDABED2ED1DD0FDD8800F221ED
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.254941968.0000000004113000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.253631018.0000000002EE2000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.253583069.0000000002E91000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: schtasks.exe PID: 7004 Parent PID: 6424

                                            General

                                            Start time:09:04:59
                                            Start date:23/02/2021
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OEpDLNVZW' /XML 'C:\Users\user\AppData\Local\Temp\tmp8B36.tmp'
                                            Imagebase:0x2a0000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: conhost.exe PID: 7012 Parent PID: 7004

                                            General

                                            Start time:09:04:59
                                            Start date:23/02/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6b2800000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 7048 Parent PID: 6424

                                            General

                                            Start time:09:05:00
                                            Start date:23/02/2021
                                            Path:C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\Skilmark Co. Ltd - Purchase Order 022021.pdf.exe
                                            Imagebase:0x8c0000
                                            File size:729088 bytes
                                            MD5 hash:D765DCBDABED2ED1DD0FDD8800F221ED
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:low

                                            Chronological Activities

                                            Disassembly

                                            Code Analysis

                                            Reset < >

                                              Analysis Process: Skilmark Co. Ltd - Purchase Order 022021.pdf.exe PID: 6424 Parent PID: 5608 Skilmark Co. Ltd - Purchase Order 022021.pdf.exeCOMMON

                                              Executed Functions

                                              Function 0921F590, Relevance: .3, Instructions: 295COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 97fe4d5724a3d6a5b390b7d9f4f0837bae38134f017f54da54440740ff38e901
                                              • Instruction ID: 81f7dfc98804f2d4d295a0dccc1a58605c69171a310fdd3d1d1fccf33707b3a4
                                              • Opcode Fuzzy Hash: 97fe4d5724a3d6a5b390b7d9f4f0837bae38134f017f54da54440740ff38e901
                                              • Instruction Fuzzy Hash: 6EC13974A101448FCB14DFA9C654ADDB7F2EF9D314F16C1AAE425AB361CB30AC45CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921DE18, Relevance: .3, Instructions: 271COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96342df455b4c3ff5a7c8b2f8a1f9df024d3a14d368b16455515580533c41e2e
                                              • Instruction ID: 605a375df3ed804a85c023379a3b477343ed7eca1c9cc7cb59c779204e518e51
                                              • Opcode Fuzzy Hash: 96342df455b4c3ff5a7c8b2f8a1f9df024d3a14d368b16455515580533c41e2e
                                              • Instruction Fuzzy Hash: 9CB1A071A11219CFCB14CFA9C984AAEB7F2FF54310F16C569E819AB2A1C730ED55CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 09218CF8, Relevance: .2, Instructions: 229COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe5b5ca8075754213c72aa65a3d975c86c717037152f6149b8a70efe59631f58
                                              • Instruction ID: 8d3997be990abe97eb4a9621ae866e6d3f19084867eac063501a642ab5b5bdee
                                              • Opcode Fuzzy Hash: fe5b5ca8075754213c72aa65a3d975c86c717037152f6149b8a70efe59631f58
                                              • Instruction Fuzzy Hash: 12910274E14209CFCB04DFE9D5886AEBBF2BB99314F24C129E418AB349DB309955CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 09218CE8, Relevance: .2, Instructions: 180COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4fb1440f90832e51a99f435b51928c66955059a06f7c79bef1e46c7204d7e7ac
                                              • Instruction ID: 8f33590b984e5538c7919797f0eb026f9079ab39a50b8456c21ad6c99887ce70
                                              • Opcode Fuzzy Hash: 4fb1440f90832e51a99f435b51928c66955059a06f7c79bef1e46c7204d7e7ac
                                              • Instruction Fuzzy Hash: 84710174E14209CFDB04DFEAC5886AEBBF2BB99310F24C12AE418AB245DB349955CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921F880, Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 93ba70347c0e7c918866dc94b5e5305e567a06d271ae1d4b6283deb3d86f82db
                                              • Instruction ID: fe4145cb55249ec9fdba998161eb49e4b11328923ee8f1b856737ccc0c5a52bf
                                              • Opcode Fuzzy Hash: 93ba70347c0e7c918866dc94b5e5305e567a06d271ae1d4b6283deb3d86f82db
                                              • Instruction Fuzzy Hash: 60113930D142598BCB148FA5D618BEEBAF1EF0E305F15506AE425B7281C7748944CBA8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01246B88, Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 01246BF8
                                              • GetCurrentThread.KERNEL32 ref: 01246C35
                                              • GetCurrentProcess.KERNEL32 ref: 01246C72
                                              • GetCurrentThreadId.KERNEL32 ref: 01246CCB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: f6f11b0f10a4c31345f23ceaaae5fe7959ac8d3dc6f53c046640acd595984a1b
                                              • Instruction ID: f82119840a0a43e7c60abb7bc7fd5c5521fc6ec34910afe5f3de0aa1aff7b7e1
                                              • Opcode Fuzzy Hash: f6f11b0f10a4c31345f23ceaaae5fe7959ac8d3dc6f53c046640acd595984a1b
                                              • Instruction Fuzzy Hash: 485163B0D003498FDB58CFA9D548BAEBBF0FF89314F25855AE019AB260D7745884CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01246B98, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 01246BF8
                                              • GetCurrentThread.KERNEL32 ref: 01246C35
                                              • GetCurrentProcess.KERNEL32 ref: 01246C72
                                              • GetCurrentThreadId.KERNEL32 ref: 01246CCB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 5221d22f97cd1c94dc5b72c78e10e7d320f8dcd386c7915c4ec820fed2bcc894
                                              • Instruction ID: ccb10019d646d3f071db55d0372861a758ab5fff7f78a14288cec0ada5bd6a2e
                                              • Opcode Fuzzy Hash: 5221d22f97cd1c94dc5b72c78e10e7d320f8dcd386c7915c4ec820fed2bcc894
                                              • Instruction Fuzzy Hash: 565164B0D006498FDB58CFA9D648BDEBBF0FF89304F25855AE019A7260D774A844CF69
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921ABA8, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0921ADDE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: e088e93df48f8f5250cfe37fe8a302fe1bd38501ab7a67b336ef8f75e46c82a7
                                              • Instruction ID: fa7687433e8c74c2af713ab1257555fda21bc30624576890c9b2889d319b0005
                                              • Opcode Fuzzy Hash: e088e93df48f8f5250cfe37fe8a302fe1bd38501ab7a67b336ef8f75e46c82a7
                                              • Instruction Fuzzy Hash: 6C919A71D11219CFDB20CFA8C9817EEBBF6BF48314F1485A9E809A7280DB749995CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0124BBC8, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0124BE0E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 7998737d43ef202c71045eab4f22838fa292d937c87b0a6ac62792349f208506
                                              • Instruction ID: 400588301ade6a59d3c46471cbddf3dc050ff9432d88c6d42834b15c0f39f4b0
                                              • Opcode Fuzzy Hash: 7998737d43ef202c71045eab4f22838fa292d937c87b0a6ac62792349f208506
                                              • Instruction Fuzzy Hash: 25714870A10B068FDB28DF6AD44475ABBF1FF88204F008A2ED596DBA40DB75E845CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0124DC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0124DD8A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 90d8f8b653213a1dcc21970f14ef0d407b2c080662c7db0e72078cb1d775ccf8
                                              • Instruction ID: 2cbd4874c06aaeb589d42a71487ebf545ec85f3c6d465de377b1439b68c68ad2
                                              • Opcode Fuzzy Hash: 90d8f8b653213a1dcc21970f14ef0d407b2c080662c7db0e72078cb1d775ccf8
                                              • Instruction Fuzzy Hash: 9A51CDB1D10309DFDB14CFE9C984ADEBBB1BF48314F24862AE919AB210D7749985CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0124DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0124DD8A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 1f91785686c64238cf1efbb0de10bd9a51ed2c39434e022d5802d6c40a46debb
                                              • Instruction ID: 32c072d048e377d1b93280aba2ace4edb86cafd4c9bcd804d02462b5733fafc0
                                              • Opcode Fuzzy Hash: 1f91785686c64238cf1efbb0de10bd9a51ed2c39434e022d5802d6c40a46debb
                                              • Instruction Fuzzy Hash: E141AEB1D10309DFDF14CFA9C984ADEBBB5BF88314F24852AE919AB210D7749985CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921A518, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0921A5B0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: bcaf7270aae75e68f678646ea44848b7d85de3dcd46d237779c866ba252f53dc
                                              • Instruction ID: 8083520f376f526fc0bd8c693019b19ccc6276f081e27d96a8dc4d57d8e9b893
                                              • Opcode Fuzzy Hash: bcaf7270aae75e68f678646ea44848b7d85de3dcd46d237779c866ba252f53dc
                                              • Instruction Fuzzy Hash: 2E2124B1D003499FCB10CFA9C8847DEBBF5FF48314F10882AE959A7240C778A954CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921A520, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0921A5B0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 998dbc57958a5b3bf953f2c6c3a40aff91ef198bdb1ec0f5a518702ade09ec8a
                                              • Instruction ID: 611b321a1de9b44d6e702d7f2f52e7162395a4a046c7b8a174434594d7eb7caf
                                              • Opcode Fuzzy Hash: 998dbc57958a5b3bf953f2c6c3a40aff91ef198bdb1ec0f5a518702ade09ec8a
                                              • Instruction Fuzzy Hash: B5211571D013599FCB10CFA9C9847DEBBF5BF48314F10842AE959A7240C778A954CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921A380, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 0921A406
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID: ContextThread
                                              • String ID:
                                              • API String ID: 1591575202-0
                                              • Opcode ID: 98e856c6af1ff2bd733f48c225e0172358da4b500f370596faeda189d4ad0731
                                              • Instruction ID: 9456c7feb76f812567688e725501bbca6c7402b448967cdfed11188083f63c7e
                                              • Opcode Fuzzy Hash: 98e856c6af1ff2bd733f48c225e0172358da4b500f370596faeda189d4ad0731
                                              • Instruction Fuzzy Hash: 2F215771D002098FDB10DFAAC9857EEBBF4AF48224F14842AE459A7240CB78A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01246DB9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01246E47
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 9e2324b9454c5ccff61f48a1bc7810fad2e6389f0ce12ad72eb69164fe491dc4
                                              • Instruction ID: 239b36e39f29f4902b899866410051d7d1ea5ac5c08c11a4afc61f3c11e30e84
                                              • Opcode Fuzzy Hash: 9e2324b9454c5ccff61f48a1bc7810fad2e6389f0ce12ad72eb69164fe491dc4
                                              • Instruction Fuzzy Hash: 8F21DFB5D00248AFDB50CFA9D984AEEBBF4EB49324F15841AE955A7310C374A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921A388, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 0921A406
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID: ContextThread
                                              • String ID:
                                              • API String ID: 1591575202-0
                                              • Opcode ID: 1c672d44fb9ee23e6866fe1970c4af215e1f0b724d541efa9bec826174cc2915
                                              • Instruction ID: a415fa9bc15bbe57720f090de7cad9086d7e018a2c0823ee12173337f005610a
                                              • Opcode Fuzzy Hash: 1c672d44fb9ee23e6866fe1970c4af215e1f0b724d541efa9bec826174cc2915
                                              • Instruction Fuzzy Hash: 61213571D002098FDB10DFAAC9847EEBBF4AF48224F14842AE459A7240CB78A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921A608, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0921A690
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 972808e99b4a69982e806193a46c5a424245cd6f63bb3da2dff91dd2dfe92145
                                              • Instruction ID: fcd1a9be603af96b82755dbfcf4116ffea9d21c771f4292ff843f0abfd4f9679
                                              • Opcode Fuzzy Hash: 972808e99b4a69982e806193a46c5a424245cd6f63bb3da2dff91dd2dfe92145
                                              • Instruction Fuzzy Hash: A721F2B19002599FCB10CFA9C9847EEBBF5BF48314F14882AE559A7640DB389954CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921A610, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0921A690
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: e75f8d38bada49f783a2972f2ca90c6943acc81e228342855ac22dd1fe87cc2f
                                              • Instruction ID: 6bddd59d9329415b106078da660a437dae25b41fe161d75994b3b6b9fde4de7f
                                              • Opcode Fuzzy Hash: e75f8d38bada49f783a2972f2ca90c6943acc81e228342855ac22dd1fe87cc2f
                                              • Instruction Fuzzy Hash: 45211671D002599FCF10CFA9C884BEEBBF5FF48314F10882AE559A7240D7349944CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01246DC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01246E47
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: e40fdac6733b082e5c3509e266861e39eedb50142edb911ad11904660e3783f4
                                              • Instruction ID: 91dc95c42271e26a94ef1aa72db2322495e968f4332d75f23e9059c622e6a3b5
                                              • Opcode Fuzzy Hash: e40fdac6733b082e5c3509e266861e39eedb50142edb911ad11904660e3783f4
                                              • Instruction Fuzzy Hash: AC21E2B59002489FDB10CFAAD984ADEBBF8EB48324F14841AE914A3310C374A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921A458, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0921A4CE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: c2e8ba9e13945647e7ea16043ebaa21c77493a2e4c2cc9541b67536a8f205f10
                                              • Instruction ID: 94e17167c1ea151d1d71ed435f003fad0d76d9369f51e7786e013dc5ba05f2a0
                                              • Opcode Fuzzy Hash: c2e8ba9e13945647e7ea16043ebaa21c77493a2e4c2cc9541b67536a8f205f10
                                              • Instruction Fuzzy Hash: 391167729002489FCF10CFAAC8447DFBBF5EF98324F14881AE515A7250CB79A954CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0124B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0124BE89,00000800,00000000,00000000), ref: 0124C09A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: b30cac54ee5236ee0e395da83c25d10b0270c3f46cf4ddefc97f1cb2657091f4
                                              • Instruction ID: cd23c4a63f8346c183049af3621025e17dc81532f73211013ae1e6b2372edcf1
                                              • Opcode Fuzzy Hash: b30cac54ee5236ee0e395da83c25d10b0270c3f46cf4ddefc97f1cb2657091f4
                                              • Instruction Fuzzy Hash: 3E1112B2D012098FDB24CFAAC444BDEFBF4EB89324F05842EE915A7600C775A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0124C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0124BE89,00000800,00000000,00000000), ref: 0124C09A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: aa40a7a8c8afc4051bd9d47561590f73f13f85599e6fd295a43753c9cfec9c4e
                                              • Instruction ID: a6f43e66a89e56f91e8065d4c1783f5df3008db3ac35d6179768785d9ee731d4
                                              • Opcode Fuzzy Hash: aa40a7a8c8afc4051bd9d47561590f73f13f85599e6fd295a43753c9cfec9c4e
                                              • Instruction Fuzzy Hash: E32133B2D002098FCB14CFA9C444ADEFBF4AF89314F15852EE515A7600C374A945CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921A460, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0921A4CE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: aeb6063d4ab6e23b855ac2611e66b0a81087562bf54e45b7f45f9bc7ec811819
                                              • Instruction ID: aae28817a70db5809c085d6106f8b9bd236e5953f94aa4958dffd5911681893a
                                              • Opcode Fuzzy Hash: aeb6063d4ab6e23b855ac2611e66b0a81087562bf54e45b7f45f9bc7ec811819
                                              • Instruction Fuzzy Hash: 9B1149719002499FCF10DFA9C8447DFBBF5EF88324F14881AE515A7250CB75A954CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921A2D0, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: a0675c6106aee314ac4029e9467077f44ceee688b322efaa058d814fef23df96
                                              • Instruction ID: 151937d222d6ab4e74d5028289f5337aa682d30cb91d3a154d2c8710d56332d3
                                              • Opcode Fuzzy Hash: a0675c6106aee314ac4029e9467077f44ceee688b322efaa058d814fef23df96
                                              • Instruction Fuzzy Hash: B9115871D002488BDB10DFAAC8447EFFBF5AF88224F148819D519A7340CB34A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921A2D8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 5fcd0a4ce5a33b09410a508b9eaa129860b063a53acbce4717265eace2c0e5c3
                                              • Instruction ID: 2a5e3d184451c6124b9e3a27bf0fdcd210b1596cca0c3cc69b66fb5e1ab98ddc
                                              • Opcode Fuzzy Hash: 5fcd0a4ce5a33b09410a508b9eaa129860b063a53acbce4717265eace2c0e5c3
                                              • Instruction Fuzzy Hash: 84113671D002488FCB10DFAAC8447EFFBF9AF88228F14881AD519A7740CB74A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0921A7C0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0921E26D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 4ba26c19d7d68d06f975e745fea71f0c70165cc5becd6ced033b211d91d6fa4e
                                              • Instruction ID: 40ed27cdbe55ce5285d00275451846d1e048ad6088292f99650cb054a5fcddb0
                                              • Opcode Fuzzy Hash: 4ba26c19d7d68d06f975e745fea71f0c70165cc5becd6ced033b211d91d6fa4e
                                              • Instruction Fuzzy Hash: 631133B18003489FCB10CF99C888BDFBBF8FB58320F11881AE814A7200C374A954CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0124BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0124BE0E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 54cc0e02452d1e1bdd4be2aebbcf531be17c18d5f78e616f0af49105a5c95cb5
                                              • Instruction ID: 80491850008eafb08e51340a3f248874f0160e232a8a9796a0c3d68a2f86876f
                                              • Opcode Fuzzy Hash: 54cc0e02452d1e1bdd4be2aebbcf531be17c18d5f78e616f0af49105a5c95cb5
                                              • Instruction Fuzzy Hash: A511E0B5D006498FDB24CFAAC444BDEFBF4EF88224F15851AD969A7600C374A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0124DEB9, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowLongW.USER32(?,?,?), ref: 0124DF1D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID: LongWindow
                                              • String ID:
                                              • API String ID: 1378638983-0
                                              • Opcode ID: 0e4bda329ed8ada6a6c7928b6012290bfdf1f66981fabe901b9f162b08fe7687
                                              • Instruction ID: 29dd50a48ecdd445bda3c4b48281979e1f06c777159b6cab156ba88fad6636fb
                                              • Opcode Fuzzy Hash: 0e4bda329ed8ada6a6c7928b6012290bfdf1f66981fabe901b9f162b08fe7687
                                              • Instruction Fuzzy Hash: 39112EB58002098FDB10CF99C588BDEBBF8EB48320F15850AE958A7600C374A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0124DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowLongW.USER32(?,?,?), ref: 0124DF1D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID: LongWindow
                                              • String ID:
                                              • API String ID: 1378638983-0
                                              • Opcode ID: bc87aac5cc72a709ef6e20f5459c25c49e504c1b747164e67eaac664adfe290f
                                              • Instruction ID: c5306118d44a16c0f112917600c38fecb56e107f61de5e492463c9019ece1c88
                                              • Opcode Fuzzy Hash: bc87aac5cc72a709ef6e20f5459c25c49e504c1b747164e67eaac664adfe290f
                                              • Instruction Fuzzy Hash: 781112B58002498FDB20CF99D588BDEFBF8EF48324F11841AE955A7700C374A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 011DD4D8, Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253096385.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 26bce146fb95df758a0e112710b2d867e4c97811f39faaf379f975e33587dd8b
                                              • Instruction ID: a1a3289638bcb927e89917cea3f2ec5a0b75532ebd127f15e5d6d591c8ea8e61
                                              • Opcode Fuzzy Hash: 26bce146fb95df758a0e112710b2d867e4c97811f39faaf379f975e33587dd8b
                                              • Instruction Fuzzy Hash: CD213A71504340DFDF09CF98E9C0B56BF75FB88328F258569E9054B286C336D855CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 011ED01C, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253116515.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c890c6c83ff23a87cc9602d681a4b363993d9c39b2563fa0571b8677a9ee6aee
                                              • Instruction ID: 9fa94632255f14915cc984e816bb420823766a5727fb8ee7816ad9c75c9c2d49
                                              • Opcode Fuzzy Hash: c890c6c83ff23a87cc9602d681a4b363993d9c39b2563fa0571b8677a9ee6aee
                                              • Instruction Fuzzy Hash: 2321F571504640DFDF19CF98E5C8B16BFA5FB84354F28C969D8094B246C736D846CAA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 011ED1D4, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253116515.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8cde92d5a022574fc4908305c1992c879e013dfb19879d4d9424d5e58e902d42
                                              • Instruction ID: 4dad8385afe71e60a3a90127de80f17bbb987981a51fa9f1da9aa885d989113c
                                              • Opcode Fuzzy Hash: 8cde92d5a022574fc4908305c1992c879e013dfb19879d4d9424d5e58e902d42
                                              • Instruction Fuzzy Hash: 86210775904641DFDF09CFD4E5C8B16BBA5FB84324F24CA6DE8094B242C336D846CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 011ED006, Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253116515.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a808fd9f4e90b0998da4dec50f7e1fd7d487c2dc433f4a2a18d6c20b67a07bb
                                              • Instruction ID: ebf80c5fc14ff7308c2232c90febe2e4f0c786a28b378915a555813c0420ea7a
                                              • Opcode Fuzzy Hash: 0a808fd9f4e90b0998da4dec50f7e1fd7d487c2dc433f4a2a18d6c20b67a07bb
                                              • Instruction Fuzzy Hash: C521C2354097808FCB07CF64D994B05BFB1EB46214F28C1EAD8498F667C33A980ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 011DD4D3, Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253096385.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 089f040691d95437d3e3945d9fc2aad68fd74f4be42516a5277ab229e787303f
                                              • Instruction ID: ddba7b714a772dc453ee0f7e2e4613251a3186e4aeca66be550dd6438f1b39de
                                              • Opcode Fuzzy Hash: 089f040691d95437d3e3945d9fc2aad68fd74f4be42516a5277ab229e787303f
                                              • Instruction Fuzzy Hash: 3711D376404280DFDF16CF54E5C4B16BF71FB84324F2886A9D8090B657C33AD45ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 011ED1CF, Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253116515.00000000011ED000.00000040.00000001.sdmp, Offset: 011ED000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d56df88b9b7a1166935ae8fa4ca7bf63e7314e17cb226e706ca627439ff04c8a
                                              • Instruction ID: 0bec5fa468052645e2b7cc4de07ec69b0e82a349944409bd01967e8466f7ec44
                                              • Opcode Fuzzy Hash: d56df88b9b7a1166935ae8fa4ca7bf63e7314e17cb226e706ca627439ff04c8a
                                              • Instruction Fuzzy Hash: 7011BB75904680DFDF06CF94E6C4B15FBB1FB84224F28C6A9D8494B696C33AD44ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 011DD75D, Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253096385.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f2b36f56d31cab9e9d87e3ef557e9770a46e61a69c2f539812d4d9319c585851
                                              • Instruction ID: fef92f4db46702fa15391e329183ed31f935b8977953d2b66e0b8297dc72fedb
                                              • Opcode Fuzzy Hash: f2b36f56d31cab9e9d87e3ef557e9770a46e61a69c2f539812d4d9319c585851
                                              • Instruction Fuzzy Hash: FA01FC714087C49AEF144A99DD84B67FB98EF4162CF0B8499ED044B2C6C7789844C6B2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 011DD75C, Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253096385.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee9de15433f78b585338bb83a6cb361172d06f5294f87dbd23a47e8601cbf21d
                                              • Instruction ID: a67c64a0f55cb3fda0a29f38b282b2fc30edf16f261fca9187801f60163cb59c
                                              • Opcode Fuzzy Hash: ee9de15433f78b585338bb83a6cb361172d06f5294f87dbd23a47e8601cbf21d
                                              • Instruction Fuzzy Hash: DDF06271404684AEEB158A5ADD84B63FFA8EF41638F18C45AED485B286C3799844CAB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 09212EA8, Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: W
                                              • API String ID: 0-655174618
                                              • Opcode ID: f4e5bb53bede88cfa1948226c98c070873fb9e8f978b1b282a657fb5278a22bc
                                              • Instruction ID: 5e35f14d373d54d46341a07d7207fa02501fddfef3ac079d33cd9aa922dba043
                                              • Opcode Fuzzy Hash: f4e5bb53bede88cfa1948226c98c070873fb9e8f978b1b282a657fb5278a22bc
                                              • Instruction Fuzzy Hash: CB4126B1E156589BEB1CCF6BDD4078EFAF7AFC9300F14C1BA890DAA219DB7005468E15
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 09210D90, Relevance: .9, Instructions: 888COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1b4772fd472a611b0859c9d7be168e992f56a2f1320b03ba65e920f0fbf20c56
                                              • Instruction ID: 2e1e32cb6729e9cff9c1c57a574ec52f431ae3805e06803c401f8a7bbda34e97
                                              • Opcode Fuzzy Hash: 1b4772fd472a611b0859c9d7be168e992f56a2f1320b03ba65e920f0fbf20c56
                                              • Instruction Fuzzy Hash: C6826E30A2820ADFDB14CF68D584AAEBBF2FF59314F158559E505DB2A2D730EC61CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0124C2B0, Relevance: .5, Instructions: 522COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7ec6e60969fff2cbae3dcc1b05ab3a54a146073076a06b68857b8adb31645336
                                              • Instruction ID: 51aca523a90673115db29d9dc4c2d8763c9fb8ebcd7348d392927981941f25a9
                                              • Opcode Fuzzy Hash: 7ec6e60969fff2cbae3dcc1b05ab3a54a146073076a06b68857b8adb31645336
                                              • Instruction Fuzzy Hash: 53525BB15217068FD734CF28E4A81997BB1FB41329F924218D2725FAD8E3B8654EEF44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01249990, Relevance: .3, Instructions: 265COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.253226206.0000000001240000.00000040.00000001.sdmp, Offset: 01240000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8ad1e06dc6781aedd3b83e66e03e8ff10256e975d031bd7d40afe86aeeb6f5e
                                              • Instruction ID: 408ea3a3002f259e9343629baa6ec93adfc064d5418e6216cb0ddd34065136ff
                                              • Opcode Fuzzy Hash: e8ad1e06dc6781aedd3b83e66e03e8ff10256e975d031bd7d40afe86aeeb6f5e
                                              • Instruction Fuzzy Hash: 9DA17232E1061A8FCF19DFA5C8445DEBBB2FF89300B15856AE905BB265EB31D945CF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 09212C49, Relevance: .2, Instructions: 150COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 16ceadd1d4ecfcae69058d4be4761516bb6c0e5f91ffa69b24f31aa965c59948
                                              • Instruction ID: e94559d6846ee1377a3c7bb4878a8db70cdb309733724bb85a43069a0ea6ca26
                                              • Opcode Fuzzy Hash: 16ceadd1d4ecfcae69058d4be4761516bb6c0e5f91ffa69b24f31aa965c59948
                                              • Instruction Fuzzy Hash: C0514F70E28219CFD748EFBAE58169E7BF3AF89308F05C52AD1149B264EF705D058B81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 09212C58, Relevance: .1, Instructions: 144COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b7f2aab3273ef82eb5907fe4f323b808ff7d5326e422f1deba04e98c977b2374
                                              • Instruction ID: 1810a3524f7022dd9526f61768e204ff2bf67d55b68abb94fb7f75494fb98b88
                                              • Opcode Fuzzy Hash: b7f2aab3273ef82eb5907fe4f323b808ff7d5326e422f1deba04e98c977b2374
                                              • Instruction Fuzzy Hash: A5512F70E28219CFD748EFBAE58169E7BF3AF89208F05C52AD1149B264EF705D058B91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 09212E99, Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.261429725.0000000009210000.00000040.00000001.sdmp, Offset: 09210000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 492c713001424898a8692a656647096df3ab1503a4efa42709ffc8e08ab2f0b5
                                              • Instruction ID: 83653f8af2820bd1ac82918f0e8e0feffbe36022934ca1508d09f4139b729cf8
                                              • Opcode Fuzzy Hash: 492c713001424898a8692a656647096df3ab1503a4efa42709ffc8e08ab2f0b5
                                              • Instruction Fuzzy Hash: 844139B2D156589BEB1CCF6B8D4078EF6F7AFC4304F14C1BA850CAA219EB7015468E15
                                              Uniqueness

                                              Uniqueness Score: -1.00%