Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report BILLING INVOICE.pdf.exe

Overview

General Information

Sample Name:BILLING INVOICE.pdf.exe
Analysis ID:357315
MD5:2374bb6b2675413f13a74466b9325b97
SHA1:143c5d4ef23ca231614a625971788275d9daee44
SHA256:4c2079f57e1ecb6dd303d37cbe6b7e84e44d987a3fc29ef1e351ebba9fd5cc35
Tags:EnduranceexeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • BILLING INVOICE.pdf.exe (PID: 6836 cmdline: 'C:\Users\user\Desktop\BILLING INVOICE.pdf.exe' MD5: 2374BB6B2675413F13A74466B9325B97)
    • schtasks.exe (PID: 4692 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp7646.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • BILLING INVOICE.pdf.exe (PID: 6552 cmdline: {path} MD5: 2374BB6B2675413F13A74466B9325B97)
      • schtasks.exe (PID: 5556 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp243E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • BILLING INVOICE.pdf.exe (PID: 6428 cmdline: 'C:\Users\user\Desktop\BILLING INVOICE.pdf.exe' 0 MD5: 2374BB6B2675413F13A74466B9325B97)
    • schtasks.exe (PID: 7084 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpE53C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4#=qs2bxKs15DbteFYTMsjthM8IIAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x6942b:$a: NanoCore
      • 0x69484:$a: NanoCore
      • 0x694c1:$a: NanoCore
      • 0x6953a:$a: NanoCore
      • 0x6948d:$b: ClientPlugin
      • 0x694ca:$b: ClientPlugin
      • 0x69dc8:$b: ClientPlugin
      • 0x69dd5:$b: ClientPlugin
      • 0x5f5ae:$e: KeepAlive
      • 0x69915:$g: LogClientMessage
      • 0x69895:$i: get_Connected
      • 0x59861:$j: #=q
      • 0x59891:$j: #=q
      • 0x598cd:$j: #=q
      • 0x598f5:$j: #=q
      • 0x59925:$j: #=q
      • 0x59955:$j: #=q
      • 0x59985:$j: #=q
      • 0x599b5:$j: #=q
      • 0x599d1:$j: #=q
      • 0x59a01:$j: #=q
      Click to see the 14 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      18.2.BILLING INVOICE.pdf.exe.31c964c.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      18.2.BILLING INVOICE.pdf.exe.31c964c.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      18.2.BILLING INVOICE.pdf.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      18.2.BILLING INVOICE.pdf.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      18.2.BILLING INVOICE.pdf.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 38 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe, ProcessId: 6552, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp7646.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp7646.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\BILLING INVOICE.pdf.exe' , ParentImage: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe, ParentProcessId: 6836, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp7646.tmp', ProcessId: 4692
        Sigma detected: Suspicious Double ExtensionShow sources
        Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe, NewProcessName: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe, OriginalFileName: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\BILLING INVOICE.pdf.exe' , ParentImage: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe, ParentProcessId: 6836, ProcessCommandLine: {path}, ProcessId: 6552

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4#=qs2bxKs15DbteFYTMsjthM8IIAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\ihNagUDDVeQ.exeReversingLabs: Detection: 40%
        Multi AV Scanner detection for submitted fileShow sources
        Source: BILLING INVOICE.pdf.exeReversingLabs: Detection: 40%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.403279843.0000000003849000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.474284915.0000000003A99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.485969919.0000000004169000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 6428, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 7132, type: MEMORY
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.397f800.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41b4c4d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.3890f60.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.BILLING INVOICE.pdf.exe.3ae0f60.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41ab7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\ihNagUDDVeQ.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: BILLING INVOICE.pdf.exeJoe Sandbox ML: detected
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: BILLING INVOICE.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: BILLING INVOICE.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: shahzad73.ddns.net
        Source: Malware configuration extractorURLs: shahzad73.casacam.net
        Source: global trafficTCP traffic: 192.168.2.6:49728 -> 91.212.153.84:9036
        Source: Joe Sandbox ViewIP Address: 91.212.153.84 91.212.153.84
        Source: Joe Sandbox ViewASN Name: MYLOC-ASIPBackboneofmyLocmanagedITAGDE MYLOC-ASIPBackboneofmyLocmanagedITAGDE
        Source: unknownDNS traffic detected: queries for: shahzad73.casacam.net
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.400465122.0000000002841000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.470826846.0000000002A91000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.400396424.0000000001087000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.400396424.0000000001087000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comoitu
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: BILLING INVOICE.pdf.exe, 00000001.00000003.348946561.000000000108C000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coms
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: BILLING INVOICE.pdf.exe, 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.403279843.0000000003849000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.474284915.0000000003A99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.485969919.0000000004169000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 6428, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 7132, type: MEMORY
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.397f800.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41b4c4d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.3890f60.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.BILLING INVOICE.pdf.exe.3ae0f60.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41ab7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.403279843.0000000003849000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.403279843.0000000003849000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.474284915.0000000003A99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.474284915.0000000003A99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.485969919.0000000004169000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 6428, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 6428, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 7132, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 7132, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.BILLING INVOICE.pdf.exe.31c964c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.BILLING INVOICE.pdf.exe.397f800.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.BILLING INVOICE.pdf.exe.397f800.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.BILLING INVOICE.pdf.exe.41b4c4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.BILLING INVOICE.pdf.exe.3890f60.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.BILLING INVOICE.pdf.exe.3890f60.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.BILLING INVOICE.pdf.exe.3ae0f60.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.BILLING INVOICE.pdf.exe.3ae0f60.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.BILLING INVOICE.pdf.exe.41ab7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.BILLING INVOICE.pdf.exe.41ab7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: BILLING INVOICE.pdf.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: BILLING INVOICE.pdf.exe
        Source: initial sampleStatic PE information: Filename: BILLING INVOICE.pdf.exe
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 1_2_005A8D281_2_005A8D28
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 1_2_06F741901_2_06F74190
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 1_2_06F7417F1_2_06F7417F
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 1_2_06F73E4E1_2_06F73E4E
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 1_2_06F76F401_2_06F76F40
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 11_2_006D8D2811_2_006D8D28
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 11_2_06CA3E4E11_2_06CA3E4E
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 11_2_06CA6F4011_2_06CA6F40
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 11_2_06CA418A11_2_06CA418A
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 11_2_06CA419011_2_06CA4190
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 18_2_00E28D2818_2_00E28D28
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 18_2_0300E47118_2_0300E471
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 18_2_0300E48018_2_0300E480
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 18_2_0300BBD418_2_0300BBD4
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.421992668.0000000008C80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 00000001.00000000.338522850.00000000005B0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGH5E vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.420986865.00000000072E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 00000001.00000002.420986865.00000000072E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 00000007.00000003.412581348.0000000006BB6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 00000007.00000000.398445627.0000000001030000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGH5E vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 0000000B.00000002.481309628.0000000008780000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 0000000B.00000002.481612850.0000000008870000.00000002.00000001.sdmpBinary or memory string: originalfilename vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 0000000B.00000002.481612850.0000000008870000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 0000000B.00000002.467276178.00000000006E0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGH5E vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 00000012.00000002.484423891.0000000000E30000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGH5E vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exe, 00000012.00000002.485969919.0000000004169000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exeBinary or memory string: OriginalFilenameGH5E vs BILLING INVOICE.pdf.exe
        Source: BILLING INVOICE.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.403279843.0000000003849000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.403279843.0000000003849000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.474284915.0000000003A99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.474284915.0000000003A99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.485969919.0000000004169000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 6428, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 6428, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 7132, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 7132, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.BILLING INVOICE.pdf.exe.31c964c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.BILLING INVOICE.pdf.exe.31c964c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.BILLING INVOICE.pdf.exe.397f800.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.BILLING INVOICE.pdf.exe.397f800.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.BILLING INVOICE.pdf.exe.397f800.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.BILLING INVOICE.pdf.exe.41b4c4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.BILLING INVOICE.pdf.exe.41b4c4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.BILLING INVOICE.pdf.exe.3890f60.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.BILLING INVOICE.pdf.exe.3890f60.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.BILLING INVOICE.pdf.exe.3ae0f60.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.BILLING INVOICE.pdf.exe.3ae0f60.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.BILLING INVOICE.pdf.exe.41ab7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.BILLING INVOICE.pdf.exe.41ab7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.BILLING INVOICE.pdf.exe.41ab7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: BILLING INVOICE.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: ihNagUDDVeQ.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@15/11@14/2
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeFile created: C:\Users\user\AppData\Roaming\ihNagUDDVeQ.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_01
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c4cca249-81f6-4232-9f14-01569e09f5f0}
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\lCfSqYSytpJOspWCqhSjNR
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_01
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7646.tmpJump to behavior
        Source: BILLING INVOICE.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: BILLING INVOICE.pdf.exeReversingLabs: Detection: 40%
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeFile read: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe 'C:\Users\user\Desktop\BILLING INVOICE.pdf.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp7646.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe {path}
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp243E.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe 'C:\Users\user\Desktop\BILLING INVOICE.pdf.exe' 0
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpE53C.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe {path}
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp7646.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess created: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp243E.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpE53C.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess created: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: BILLING INVOICE.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: BILLING INVOICE.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 1_2_04ECBE78 pushad ; retf 1_2_04ECBE79
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeCode function: 11_2_06CA097D push es; ret 11_2_06CA0984
        Source: initial sampleStatic PE information: section name: .text entropy: 7.92505185821
        Source: initial sampleStatic PE information: section name: .text entropy: 7.92505185821
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeFile created: C:\Users\user\AppData\Roaming\ihNagUDDVeQ.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp7646.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeFile opened: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe:Zone.Identifier read attributes | deleteJump to behavior
        Uses an obfuscated file name to hide its real file extension (double extension)Show sources
        Source: Possible double extension: pdf.exeStatic PE information: BILLING INVOICE.pdf.exe
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWindow / User API: threadDelayed 5912Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWindow / User API: threadDelayed 3168Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWindow / User API: foregroundWindowGot 628Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWindow / User API: foregroundWindowGot 566Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe TID: 6868Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe TID: 5600Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe TID: 6424Thread sleep time: -11990383647911201s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe TID: 6676Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe TID: 6108Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe TID: 2292Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: BILLING INVOICE.pdf.exe, 00000007.00000003.463933016.00000000017C5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeMemory written: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeMemory written: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp7646.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess created: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp243E.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpE53C.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeProcess created: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\BILLING INVOICE.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.403279843.0000000003849000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.474284915.0000000003A99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.485969919.0000000004169000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 6428, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 7132, type: MEMORY
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.397f800.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41b4c4d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.3890f60.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.BILLING INVOICE.pdf.exe.3ae0f60.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41ab7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: BILLING INVOICE.pdf.exe, 00000007.00000003.412581348.0000000006BB6000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: BILLING INVOICE.pdf.exe, 0000000B.00000002.474284915.0000000003A99000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: BILLING INVOICE.pdf.exe, 00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: BILLING INVOICE.pdf.exe, 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.403279843.0000000003849000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.474284915.0000000003A99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.485969919.0000000004169000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 6428, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: BILLING INVOICE.pdf.exe PID: 7132, type: MEMORY
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.397f800.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.BILLING INVOICE.pdf.exe.3b9cbe0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41b4c4d.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.3890f60.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41b0624.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.BILLING INVOICE.pdf.exe.3ae0f60.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.BILLING INVOICE.pdf.exe.41ab7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.BILLING INVOICE.pdf.exe.394cbe0.1.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection111Masquerading11Input Capture11Query Registry1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information12DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 357315 Sample: BILLING INVOICE.pdf.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 14 other signatures 2->53 8 BILLING INVOICE.pdf.exe 6 2->8         started        12 BILLING INVOICE.pdf.exe 4 2->12         started        process3 file4 33 C:\Users\user\AppData\...\ihNagUDDVeQ.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\Local\...\tmp7646.tmp, XML 8->35 dropped 37 C:\Users\user\...\BILLING INVOICE.pdf.exe.log, ASCII 8->37 dropped 55 Injects a PE file into a foreign processes 8->55 14 BILLING INVOICE.pdf.exe 12 8->14         started        19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 12->21         started        23 BILLING INVOICE.pdf.exe 2 12->23         started        signatures5 process6 dnsIp7 41 shahzad73.casacam.net 91.212.153.84, 49728, 49729, 49732 MYLOC-ASIPBackboneofmyLocmanagedITAGDE unknown 14->41 43 192.168.2.1 unknown unknown 14->43 39 C:\Users\user\AppData\Roaming\...\run.dat, data 14->39 dropped 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->45 25 schtasks.exe 1 14->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 25->31         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        BILLING INVOICE.pdf.exe40%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
        BILLING INVOICE.pdf.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\ihNagUDDVeQ.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\ihNagUDDVeQ.exe40%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        18.2.BILLING INVOICE.pdf.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        shahzad73.casacam.net5%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        shahzad73.ddns.net1%VirustotalBrowse
        shahzad73.ddns.net0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.coms0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.fontbureau.comoitu0%URL Reputationsafe
        http://www.fontbureau.comoitu0%URL Reputationsafe
        http://www.fontbureau.comoitu0%URL Reputationsafe
        http://www.fontbureau.comoitu0%URL Reputationsafe
        http://www.fontbureau.comm0%URL Reputationsafe
        http://www.fontbureau.comm0%URL Reputationsafe
        http://www.fontbureau.comm0%URL Reputationsafe
        http://www.fontbureau.comm0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        shahzad73.casacam.net5%VirustotalBrowse
        shahzad73.casacam.net0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        shahzad73.casacam.net
        		91.212.153.84
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        shahzad73.ddns.nettrue
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        shahzad73.casacam.nettrue
        • 5%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.0BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.comBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designersGBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.tiro.comsBILLING INVOICE.pdf.exe, 00000001.00000003.348946561.000000000108C000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers?BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                  		high
                  http://www.tiro.comBILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersBILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/cTheBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-jones.htmlBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comoituBILLING INVOICE.pdf.exe, 00000001.00000002.400396424.0000000001087000.00000004.00000040.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.commBILLING INVOICE.pdf.exe, 00000001.00000002.400396424.0000000001087000.00000004.00000040.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers8BILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fonts.comBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleaseBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBILLING INVOICE.pdf.exe, 00000001.00000002.400465122.0000000002841000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.470826846.0000000002A91000.00000004.00000001.sdmpfalse
                              		high
                              http://www.sakkal.comBILLING INVOICE.pdf.exe, 00000001.00000002.412476630.0000000006A22000.00000004.00000001.sdmp, BILLING INVOICE.pdf.exe, 0000000B.00000002.479024535.00000000059F0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              91.212.153.84
                              		unknownunknown
                              		24961MYLOC-ASIPBackboneofmyLocmanagedITAGDEtrue

                              Private

                              IP
                              192.168.2.1

                              General Information

                              Joe Sandbox Version:31.0.0 Emerald
                              Analysis ID:357315
                              Start date:24.02.2021
                              Start time:12:56:18
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 10m 26s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:BILLING INVOICE.pdf.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:27
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@15/11@14/2
                              EGA Information:Failed
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 89%
                              • Number of executed functions: 37
                              • Number of non-executed functions: 4
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                              • Excluded IPs from analysis (whitelisted): 51.104.139.180, 168.61.161.212, 204.79.197.200, 13.107.21.200, 23.54.113.53, 52.255.188.83, 104.42.151.234, 52.147.198.201, 51.104.144.132, 23.0.174.187, 23.0.174.185, 51.103.5.159, 23.10.249.26, 23.10.249.25, 52.155.217.156, 20.54.26.129, 95.100.54.203
                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              12:57:25API Interceptor749x Sleep call for process: BILLING INVOICE.pdf.exe modified
                              12:57:46Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\BILLING INVOICE.pdf.exe" s>$(Arg0)

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              91.212.153.84JMG Memo-Circular No 018-21.PDF.exeGet hashmaliciousBrowse
                                LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeGet hashmaliciousBrowse
                                  POEA ADVISORY ON DELISTED AGENCIES.PDF.exeGet hashmaliciousBrowse
                                    Swift copy_BILLING INVOICE.pdf.exeGet hashmaliciousBrowse
                                      POEA ADVISORY ON DELISTED AGENCIES.pdf.exeGet hashmaliciousBrowse
                                        POEA ADVISORY NO 450 2021.pdf.exeGet hashmaliciousBrowse
                                          POEA DELISTED AGENCIES (BATCH A).PDF.exeGet hashmaliciousBrowse
                                            POEA MEMORANDUM N0 056.exeGet hashmaliciousBrowse
                                              Protected.exeGet hashmaliciousBrowse
                                                Protected.2.exeGet hashmaliciousBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  shahzad73.casacam.netJMG Memo-Circular No 018-21.PDF.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  POEA ADVISORY ON DELISTED AGENCIES.PDF.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  Swift copy_BILLING INVOICE.pdf.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  POEA ADVISORY ON DELISTED AGENCIES.pdf.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  POEA ADVISORY NO 450 2021.pdf.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  POEA DELISTED AGENCIES (BATCH A).PDF.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  POEA MEMORANDUM N0 056.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  Protected.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  Protected.2.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  MYLOC-ASIPBackboneofmyLocmanagedITAGDEJMG Memo-Circular No 018-21.PDF.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  POEA ADVISORY ON DELISTED AGENCIES.PDF.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  Swift copy_BILLING INVOICE.pdf.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  POEA ADVISORY ON DELISTED AGENCIES.pdf.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  POEA ADVISORY NO 450 2021.pdf.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  POEA DELISTED AGENCIES (BATCH A).PDF.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  POEA MEMORANDUM N0 056.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  Swift_Payment_jpeg.exeGet hashmaliciousBrowse
                                                  • 62.141.37.17
                                                  Protected.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  Protected.2.exeGet hashmaliciousBrowse
                                                  • 91.212.153.84
                                                  FickerStealer.exeGet hashmaliciousBrowse
                                                  • 89.163.225.172
                                                  Documentaci#U00f3n.docGet hashmaliciousBrowse
                                                  • 89.163.210.141
                                                  SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exeGet hashmaliciousBrowse
                                                  • 89.163.140.102
                                                  TaskAudio Driver.exeGet hashmaliciousBrowse
                                                  • 193.111.198.220
                                                  Z8363664.docGet hashmaliciousBrowse
                                                  • 89.163.210.141
                                                  OhGodAnETHlargementPill2.exeGet hashmaliciousBrowse
                                                  • 193.111.198.220
                                                  godflex-r2.exeGet hashmaliciousBrowse
                                                  • 193.111.198.220
                                                  PolarisBiosEditor-master.exeGet hashmaliciousBrowse
                                                  • 193.111.198.220
                                                  NKsplucdAu.exeGet hashmaliciousBrowse
                                                  • 85.114.134.88

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BILLING INVOICE.pdf.exe.log
                                                  Process:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                  C:\Users\user\AppData\Local\Temp\tmp243E.tmp
                                                  Process:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1312
                                                  Entropy (8bit):5.114327114062219
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0VKZxtn:cbk4oL600QydbQxIYODOLedq3tj
                                                  MD5:5ADF9BAA3F018F7135770CE8913A6CBE
                                                  SHA1:0A15D3279AEC06B1428ED22191656B5704188A3A
                                                  SHA-256:35F2AA041A3F5D5BD661018D40D331D630F2D0D6D104699591F5F41BDF8DC6DC
                                                  SHA-512:8B4CA8D6327A664AC1782A0A401109E81078E7624385130C30F5DAB8CE062D04E0668110867EE868FE8A45DE311C87D08CE3E3B61A6F937BBAA9F84679D042EF
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                  C:\Users\user\AppData\Local\Temp\tmp7646.tmp
                                                  Process:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1656
                                                  Entropy (8bit):5.162410656291698
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3+qtn:cbha7JlNQV/rydbz9I3YODOLNdq3Mc
                                                  MD5:7D606680B22EE1B5946753B87107DD2F
                                                  SHA1:0B0FF271AB0F95CC85B56097BD0F3FE31F5D7D34
                                                  SHA-256:E9DF8AC1EF30AA4DFE4AE252BAA408D81391A8718F47CCFA1DCA634FE30210CE
                                                  SHA-512:7DE94C954F99A130E6D76DE5C626A3431A0FDEB4B08D444DF2A09CF6C28B12FC5FBC4173C500ED094C3B9DA5ABFFB0CEDEF9E8BB772C3792ADED4A8B0753458F
                                                  Malicious:true
                                                  Reputation:low
                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                  C:\Users\user\AppData\Local\Temp\tmpE53C.tmp
                                                  Process:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1656
                                                  Entropy (8bit):5.162410656291698
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3+qtn:cbha7JlNQV/rydbz9I3YODOLNdq3Mc
                                                  MD5:7D606680B22EE1B5946753B87107DD2F
                                                  SHA1:0B0FF271AB0F95CC85B56097BD0F3FE31F5D7D34
                                                  SHA-256:E9DF8AC1EF30AA4DFE4AE252BAA408D81391A8718F47CCFA1DCA634FE30210CE
                                                  SHA-512:7DE94C954F99A130E6D76DE5C626A3431A0FDEB4B08D444DF2A09CF6C28B12FC5FBC4173C500ED094C3B9DA5ABFFB0CEDEF9E8BB772C3792ADED4A8B0753458F
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                  Process:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1856
                                                  Entropy (8bit):7.089541637477408
                                                  Encrypted:false
                                                  SSDEEP:48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhL
                                                  MD5:30D23CC577A89146961915B57F408623
                                                  SHA1:9B5709D6081D8E0A570511E6E0AAE96FA041964F
                                                  SHA-256:E2130A72E55193D402B5F43F7F3584ECF6B423F8EC4B1B1B69AD693C7E0E5A9E
                                                  SHA-512:2D5C5747FD04F8326C2CC1FB313925070BC01D3352AFA6C36C167B72757A15F58B6263D96BD606338DA055812E69DDB628A6E18D64DD59697C2F42D1C58CC687
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                  Process:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):8
                                                  Entropy (8bit):3.0
                                                  Encrypted:false
                                                  SSDEEP:3:XyAn:iA
                                                  MD5:F5C9CFE85A11961BD3AEB58399B50444
                                                  SHA1:D7E92C41BC0CE6E0AD648E7FF08DCEDB01EAB2AB
                                                  SHA-256:DF1CF9AF49C4A2756ED3A1B4C828C40658C2E59B0F378A4E45FA618DBD59BC87
                                                  SHA-512:74C1EA3D84B1AE7812AA0B4E7FCDD86610B858E066D32F2B83A781AE1F8A290D6692C2A99B1E172B974B23B2A2910421A770D19230AB22A19F1E1B91C5B8B6AA
                                                  Malicious:true
                                                  Preview: ..8....H
                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                                  Process:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):24
                                                  Entropy (8bit):4.501629167387823
                                                  Encrypted:false
                                                  SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                                  MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                                  SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                                  SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                                  SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                                  Malicious:false
                                                  Preview: 9iH...}Z.4..f..J".C;"a
                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                  Process:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):64
                                                  Entropy (8bit):5.320159765557392
                                                  Encrypted:false
                                                  SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                                  MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                                  SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                                  SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                                  SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                                  Malicious:false
                                                  Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                  Process:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):327768
                                                  Entropy (8bit):7.999367066417797
                                                  Encrypted:true
                                                  SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
                                                  MD5:2E52F446105FBF828E63CF808B721F9C
                                                  SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
                                                  SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
                                                  SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
                                                  Malicious:false
                                                  Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                  Process:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):49
                                                  Entropy (8bit):4.5043757225526235
                                                  Encrypted:false
                                                  SSDEEP:3:oNN2+WnU5Smghr:oNN2RAgt
                                                  MD5:93C14289219843A7235690B344ADE36E
                                                  SHA1:FF89BC91614F8ACF36ED4C203D781D6B590B1577
                                                  SHA-256:09998F5BF070501F5208AE0AD6855E1FB7EF44ECC161944F278C634FD3992A77
                                                  SHA-512:7A8C7758B2F130BA48F2DD84337EE951E9985FB04CEC20B4A0E7DE8DAEA9576104B07CEB8AA2F657846BD5523FEA4A6F7EBAE793087DABB763F2EC6764106667
                                                  Malicious:false
                                                  Preview: C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  C:\Users\user\AppData\Roaming\ihNagUDDVeQ.exe
                                                  Process:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):381440
                                                  Entropy (8bit):7.912703799735133
                                                  Encrypted:false
                                                  SSDEEP:6144:IdLOyWI+/pOD6wzzMLDOsFnWTU607u94jQBGQgwQ+6kLhokTpQmqSvtyvu:JEL6wEfOsFWTU5SmjQBG1P+d3pZX
                                                  MD5:2374BB6B2675413F13A74466B9325B97
                                                  SHA1:143C5D4EF23CA231614A625971788275D9DAEE44
                                                  SHA-256:4C2079F57E1ECB6DD303D37CBE6B7E84E44D987A3FC29EF1E351EBBA9FD5CC35
                                                  SHA-512:819782C178CD37D0668EA40CC1B8EBD7EE6154D00388D86FBA4FA608A87C633C06093AB9F9E15A3C7C947B9B4FD79116CFA260A10812789C9987D1ECFA125CC8
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 40%
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5`................................. ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......@...\[...........g..h$..........................................r.(8......r...p(7.....o;....*....0............{.....+..*.0..*.........#............,...}....+..#........}....*...0............{.....+..*.0..*.........#............,...}....+..#........}....*...0............{.....+..*.0..*.........#............,...}....+..#........}....*...0..M........#.......@.{.....{....ZZ#.......@.{.....{....ZZX#.......@.{.....{....ZZX.+..*....0............{.....{....Z.{....Z.+..*...0..

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.912703799735133
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                  • Win32 Executable (generic) a (10002005/4) 49.93%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:BILLING INVOICE.pdf.exe
                                                  File size:381440
                                                  MD5:2374bb6b2675413f13a74466b9325b97
                                                  SHA1:143c5d4ef23ca231614a625971788275d9daee44
                                                  SHA256:4c2079f57e1ecb6dd303d37cbe6b7e84e44d987a3fc29ef1e351ebba9fd5cc35
                                                  SHA512:819782c178cd37d0668ea40cc1b8ebd7ee6154d00388d86fba4fa608a87c633c06093ab9f9e15a3c7c947b9b4fd79116cfa260a10812789c9987d1ecfa125cc8
                                                  SSDEEP:6144:IdLOyWI+/pOD6wzzMLDOsFnWTU607u94jQBGQgwQ+6kLhokTpQmqSvtyvu:JEL6wEfOsFWTU5SmjQBG1P+d3pZX
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5`................................. ........@.. .......................@............@................................

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x45e7ee
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0x60359F02 [Wed Feb 24 00:34:10 2021 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5e79c0x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x600.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x5c7f40x5c800False0.931579919764data7.92505185821IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x600000x6000x600False0.442057291667data4.29994504602IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x620000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_VERSION0x600900x36cdata
                                                  RT_MANIFEST0x6040c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightCopyright Neudesic 2017
                                                  Assembly Version1.0.0.0
                                                  InternalNameGH5EC.exe
                                                  FileVersion1.0.0.0
                                                  CompanyNameNeudesic
                                                  LegalTrademarks
                                                  Comments
                                                  ProductNameVectorBasedDrawing
                                                  ProductVersion1.0.0.0
                                                  FileDescriptionVectorBasedDrawing
                                                  OriginalFilenameGH5EC.exe

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Feb 24, 2021 12:57:47.697957993 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:47.719449997 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.719549894 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:47.796598911 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:47.823239088 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.845339060 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:47.866569042 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.889058113 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:47.963701963 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.975496054 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.975543976 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.975574970 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.975583076 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.975621939 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:47.975651979 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:47.996611118 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.996642113 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.996665001 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.996686935 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.996707916 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:47.996723890 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.996745110 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.996756077 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:47.996777058 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.996787071 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:47.996808052 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:47.996869087 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.017303944 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017426968 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017452002 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017478943 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017505884 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017539978 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.017566919 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017590046 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017601013 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.017623901 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017636061 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.017653942 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017668009 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.017744064 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017767906 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017786026 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.017802000 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017827988 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.017844915 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.018040895 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.018064976 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.018090010 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.018096924 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.018143892 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.029783010 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.038485050 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.038511038 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.038527966 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.038551092 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.038568020 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.038584948 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.038599968 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.038618088 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.038635015 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.038645029 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.038660049 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.038671017 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.038708925 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.038954973 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.038980007 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.038996935 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.039011955 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.039028883 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.039042950 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.039062977 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.039079905 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.039098024 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.039108992 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.039114952 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.039134979 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.039151907 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.039171934 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.039180994 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.039201975 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.039215088 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.039237022 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.039982080 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.040050983 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.040079117 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.040082932 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.040102959 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.040127039 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.040127039 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.040149927 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.040153980 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.040174961 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.040188074 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.040201902 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.040220022 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.040225029 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.040249109 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.040249109 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.040271044 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.040275097 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.040292978 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.040297985 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.040321112 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.040338993 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.060251951 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060297966 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060323000 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060348034 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060372114 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060395956 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060419083 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060420990 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.060441971 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060463905 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.060466051 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060487986 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060494900 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.060512066 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060538054 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060556889 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.060592890 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.060607910 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060631990 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060655117 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060678005 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060729027 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.060739040 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060764074 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060786963 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060808897 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.060810089 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060849905 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060873032 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060873032 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.060913086 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.060957909 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.060981989 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061005116 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061028004 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061057091 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.061089993 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.061096907 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061121941 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061144114 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061256886 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061285973 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061311007 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061322927 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.061335087 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061358929 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061362028 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.061393976 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061417103 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.061423063 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061445951 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061506033 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.061767101 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061840057 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061868906 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061893940 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061893940 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.061918020 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.061942101 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.061958075 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.062048912 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.062076092 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.062098026 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.062120914 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.062120914 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.062201977 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.062206030 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.062232971 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.062256098 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.062299967 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.081362963 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081404924 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081425905 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081432104 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.081444979 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081465960 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081485987 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081510067 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081530094 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.081532001 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081552029 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081573009 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081583023 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.081593990 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081617117 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.081643105 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.081664085 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081819057 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081840992 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081862926 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081870079 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.081883907 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081904888 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081914902 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.081927061 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081943035 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.081952095 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.081974983 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082004070 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.082101107 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082123995 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082148075 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082171917 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082184076 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.082194090 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082231045 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082257986 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.082257986 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082278967 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082310915 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082338095 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082343102 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.082374096 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.082480907 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082606077 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.082631111 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082710981 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082734108 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082823992 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.082904100 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082926035 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082947969 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082967043 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082988024 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.082999945 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.083007097 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.083024025 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.083040953 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.083071947 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.083087921 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.083111048 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.083132982 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.083180904 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.083250999 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.083272934 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.083374023 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.083399057 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.083422899 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.083617926 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.102250099 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.102282047 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.102304935 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.102327108 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.102334976 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.102353096 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.102355957 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.102376938 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.102400064 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.102401018 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.102451086 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.102592945 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.102910042 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.102935076 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.102961063 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.102988005 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103008986 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103029966 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.103034019 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103080988 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.103084087 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103117943 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103138924 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103161097 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103183031 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103183985 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.103204966 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103213072 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.103226900 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103235006 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.103247881 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103269100 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103281021 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.103327990 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.103410959 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103431940 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103452921 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103473902 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103482008 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.103493929 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103514910 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103523016 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.103565931 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.103802919 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.103832006 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104021072 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104136944 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104156971 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104167938 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104178905 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104198933 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104202032 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104234934 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104280949 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104301929 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104324102 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104326963 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104425907 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104446888 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104459047 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104475021 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104495049 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104515076 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104516983 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104538918 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104547977 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104561090 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104602098 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104645014 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104665995 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104686022 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104688883 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104705095 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104732037 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104808092 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104829073 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104849100 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104856014 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104868889 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104890108 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104912996 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104912996 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104933977 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.104942083 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.104969978 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.105400085 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.105432987 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.105458021 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.105530024 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.123168945 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123205900 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123230934 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123255968 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123262882 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.123280048 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123305082 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.123306036 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123332024 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123354912 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123378992 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123402119 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.123403072 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123425961 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123446941 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123465061 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123481035 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.123488903 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123512983 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123631954 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.123677015 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123703003 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123725891 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123750925 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.123752117 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123776913 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123801947 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.123816013 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123838902 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123858929 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.123859882 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123898029 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123903036 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.123925924 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123950005 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.123963118 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.123971939 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124015093 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.124253035 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124280930 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124310970 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124334097 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124356985 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124382973 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.124424934 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124452114 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124475002 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124496937 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124501944 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.124519110 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124540091 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.124542952 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124567032 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.124567032 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124591112 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124619007 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124641895 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124660969 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124667883 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.124723911 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.124732018 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.124949932 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124973059 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.124991894 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.125010967 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.125030041 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.125030994 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.125056028 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.125062943 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.125080109 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.125130892 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.126077890 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.129040003 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:48.148390055 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:48.337868929 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:49.179261923 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:49.250909090 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:50.199698925 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:50.270982027 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:50.726892948 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:50.802248001 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:50.869549036 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:50.963015079 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:50.983818054 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:51.150526047 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:52.035341024 CET90364972891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:52.166286945 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:52.792438030 CET497289036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:57.919594049 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:57.940490007 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:57.940620899 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:57.941498995 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:57.977189064 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:57.977536917 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:57.999372959 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:58.000984907 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:58.080352068 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:58.167145014 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:58.168483973 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:58.189482927 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:58.210726023 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:58.231828928 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:58.231962919 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:58.252870083 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:58.338591099 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:58.387164116 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:58.460581064 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:58.641124010 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:58.716665030 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:58.716763020 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:58.795020103 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:57:59.707930088 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:57:59.785491943 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:00.064337969 CET90364972991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:00.151261091 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:00.571676016 CET497299036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:04.664223909 CET497329036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:04.685121059 CET90364973291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:04.685297966 CET497329036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:04.685841084 CET497329036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:04.728080988 CET90364973291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:04.728599072 CET497329036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:04.749574900 CET90364973291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:04.751034021 CET497329036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:04.826575041 CET90364973291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:04.900285006 CET90364973291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:04.909581900 CET497329036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:04.930236101 CET90364973291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:04.931564093 CET497329036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:04.952325106 CET90364973291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:04.952440023 CET497329036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:04.974414110 CET90364973291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:04.974611044 CET497329036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:05.049906015 CET90364973291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:05.574264050 CET497329036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:05.650147915 CET90364973291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:06.563321114 CET497329036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:11.779092073 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:11.804004908 CET90364973391.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:11.804204941 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:11.805159092 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:11.844249010 CET90364973391.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:11.849929094 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:11.870896101 CET90364973391.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:11.904573917 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:11.967355967 CET90364973391.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:12.058098078 CET90364973391.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:12.152276993 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:12.175245047 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:12.176466942 CET90364973391.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:12.255984068 CET90364973391.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:12.256057978 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:12.277909994 CET90364973391.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:12.352726936 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:12.582597017 CET90364973391.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:12.582700968 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:12.746053934 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:12.766859055 CET90364973391.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:13.150063038 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:13.173268080 CET90364973391.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:13.839055061 CET497339036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:17.958363056 CET497349036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:17.980554104 CET90364973491.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:17.980665922 CET497349036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:18.034815073 CET497349036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:18.063611031 CET90364973491.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:18.074067116 CET497349036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:18.099143028 CET90364973491.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:18.100455999 CET497349036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:18.171305895 CET90364973491.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:18.259819984 CET90364973491.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:18.263509035 CET497349036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:18.286284924 CET90364973491.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:18.287396908 CET497349036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:18.310221910 CET90364973491.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:18.310431957 CET497349036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:18.335391998 CET90364973491.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:18.451379061 CET497349036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:18.458200932 CET497349036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:18.529891014 CET90364973491.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:18.810236931 CET497349036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:18.888236046 CET90364973491.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:19.971385002 CET497349036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:24.275609970 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:24.296626091 CET90364974091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:24.298089981 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:24.301289082 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:24.332717896 CET90364974091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:24.335278034 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:24.356254101 CET90364974091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:24.358165026 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:24.432760954 CET90364974091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:24.519800901 CET90364974091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:24.541430950 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:24.562156916 CET90364974091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:24.586893082 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:24.608161926 CET90364974091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:24.608464003 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:24.629698992 CET90364974091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:24.684609890 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:24.868057966 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:24.938931942 CET90364974091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:24.954555035 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:25.032344103 CET90364974091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:25.954665899 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:26.030468941 CET90364974091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:26.951339006 CET497409036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:32.333347082 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:32.354350090 CET90364975091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:32.354895115 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:32.364293098 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:32.410202026 CET90364975091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:32.417440891 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:32.438651085 CET90364975091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:32.482079029 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:32.483673096 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:32.554166079 CET90364975091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:32.661511898 CET90364975091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:32.679007053 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:32.699764967 CET90364975091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:32.701029062 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:32.721898079 CET90364975091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:32.721980095 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:32.742815971 CET90364975091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:32.872797966 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:33.091025114 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:33.161186934 CET90364975091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:33.163520098 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:33.255381107 CET90364975091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:34.123325109 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:34.199506998 CET90364975091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:35.123588085 CET497509036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:39.377259016 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:39.399020910 CET90364975591.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:39.399189949 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:39.489403963 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:39.522655964 CET90364975591.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:39.577789068 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:39.599109888 CET90364975591.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:39.609392881 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:39.693340063 CET90364975591.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:39.769331932 CET90364975591.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:39.853781939 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:39.875181913 CET90364975591.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:39.963874102 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:39.984663010 CET90364975591.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:40.052347898 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:40.073846102 CET90364975591.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:40.125447035 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:40.203701973 CET90364975591.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:40.203790903 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:40.266395092 CET90364975591.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:40.365323067 CET90364975591.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:40.482860088 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:41.123972893 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:41.209310055 CET90364975591.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:42.324155092 CET497559036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:46.376780987 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:46.397672892 CET90364975791.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:46.397783041 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:46.398371935 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:46.433135033 CET90364975791.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:46.433440924 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:46.455609083 CET90364975791.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:46.459789038 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:46.537858009 CET90364975791.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:46.630285978 CET90364975791.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:46.631223917 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:46.652391911 CET90364975791.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:46.653350115 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:46.674154043 CET90364975791.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:46.674242020 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:46.694946051 CET90364975791.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:46.695048094 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:46.769329071 CET90364975791.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:47.033534050 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:47.117252111 CET90364975791.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:48.125835896 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:48.207562923 CET90364975791.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:48.412563086 CET90364975791.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:48.499104977 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:49.049973965 CET497579036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:53.180394888 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:53.201277018 CET90364975891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:53.201467037 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:53.201937914 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:53.231404066 CET90364975891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:53.241547108 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:53.263180971 CET90364975891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:53.265537024 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:53.347176075 CET90364975891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:53.432903051 CET90364975891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:53.434051037 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:53.455081940 CET90364975891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:53.511240005 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:53.534265041 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:53.555746078 CET90364975891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:53.556150913 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:53.577440977 CET90364975891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:53.625066042 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:53.695887089 CET90364975891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:54.087210894 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:54.164729118 CET90364975891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:55.115534067 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:58:55.194489956 CET90364975891.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:58:56.117672920 CET497589036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:00.179450989 CET497599036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:00.200057030 CET90364975991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:00.200222015 CET497599036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:00.200846910 CET497599036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:00.224380016 CET90364975991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:00.266860962 CET497599036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:00.289319038 CET90364975991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:00.289671898 CET497599036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:00.310844898 CET90364975991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:00.315226078 CET497599036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:00.392410994 CET90364975991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:00.479979992 CET90364975991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:00.481851101 CET497599036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:00.504766941 CET90364975991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:00.506917000 CET497599036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:00.529036045 CET90364975991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:00.529135942 CET497599036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:00.551810026 CET90364975991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:00.583184958 CET497599036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:00.654737949 CET90364975991.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:01.205457926 CET497599036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:05.300668955 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:05.321547985 CET90364976091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:05.321791887 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:05.322572947 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:05.351397991 CET90364976091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:05.351912975 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:05.373537064 CET90364976091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:05.374667883 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:05.445319891 CET90364976091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:05.533751011 CET90364976091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:05.568305016 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:05.589565992 CET90364976091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:05.590584040 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:05.613240957 CET90364976091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:05.613404989 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:05.634768963 CET90364976091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:05.689102888 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:05.738022089 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:05.807631969 CET90364976091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:05.827856064 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:05.901377916 CET90364976091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:06.815160990 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:06.889426947 CET90364976091.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:07.815131903 CET497609036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:11.881128073 CET497619036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:11.901639938 CET90364976191.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:11.901761055 CET497619036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:11.902980089 CET497619036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:11.926146030 CET90364976191.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:11.970853090 CET497619036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:11.991884947 CET90364976191.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:11.999273062 CET497619036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:12.019958019 CET90364976191.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:12.021509886 CET497619036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:12.099663019 CET90364976191.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:12.170866013 CET90364976191.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:12.172749043 CET497619036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:12.196278095 CET90364976191.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:12.206826925 CET497619036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:12.229067087 CET90364976191.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:12.230401993 CET497619036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:12.251022100 CET90364976191.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:12.267565012 CET497619036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:12.338356018 CET90364976191.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:12.588620901 CET90364976191.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:12.642760038 CET497619036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:12.863136053 CET497619036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:16.914099932 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:16.935543060 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:16.935782909 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:16.938802004 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:16.962979078 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:17.018194914 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:17.043281078 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:17.043684959 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:17.065581083 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:17.067931890 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:17.142736912 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:17.213540077 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:17.214693069 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:17.235507011 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:17.237298012 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:17.262871981 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:17.268790960 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:17.290463924 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:17.290667057 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:17.371789932 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:20.669013023 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:20.721688986 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:21.973062992 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:22.018626928 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:26.978291035 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:27.019119978 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:28.714004040 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:28.769103050 CET497629036192.168.2.691.212.153.84
                                                  Feb 24, 2021 12:59:31.983531952 CET90364976291.212.153.84192.168.2.6
                                                  Feb 24, 2021 12:59:32.035088062 CET497629036192.168.2.691.212.153.84

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Feb 24, 2021 12:57:05.205404043 CET4928353192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:05.217932940 CET53492838.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:05.250516891 CET5837753192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:05.651149988 CET5507453192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:05.664232016 CET53550748.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:06.256783009 CET5837753192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:06.270220995 CET53583778.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:06.847357035 CET5451353192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:06.860454082 CET53545138.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:07.685013056 CET6204453192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:07.697124958 CET53620448.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:08.170537949 CET6379153192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:08.188425064 CET53637918.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:08.495271921 CET6426753192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:08.508690119 CET53642678.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:10.466887951 CET4944853192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:10.479806900 CET53494488.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:11.250217915 CET6034253192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:11.263050079 CET53603428.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:12.459167004 CET6134653192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:12.471975088 CET53613468.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:13.403403044 CET5177453192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:13.415361881 CET53517748.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:14.188536882 CET5602353192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:14.203088999 CET53560238.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:15.222028971 CET5838453192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:15.234819889 CET53583848.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:15.916160107 CET6026153192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:15.928978920 CET53602618.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:17.134922028 CET5606153192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:17.147279024 CET53560618.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:18.041114092 CET5833653192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:18.053656101 CET53583368.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:21.272644997 CET5378153192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:21.284456968 CET53537818.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:22.324059963 CET5406453192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:22.336911917 CET53540648.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:23.433034897 CET5281153192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:23.446010113 CET53528118.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:24.150922060 CET5529953192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:24.163077116 CET53552998.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:25.186011076 CET6374553192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:25.198486090 CET53637458.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:27.536396980 CET5005553192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:27.550003052 CET53500558.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:41.728310108 CET6137453192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:41.742105007 CET53613748.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:47.524568081 CET5033953192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:47.687066078 CET53503398.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:57:57.713361979 CET6330753192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:57:57.891199112 CET53633078.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:01.390185118 CET4969453192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:01.408746958 CET53496948.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:02.596286058 CET5498253192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:03.609375000 CET5498253192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:03.621659994 CET53549828.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:04.647655964 CET5001053192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:04.662698030 CET53500108.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:11.736670971 CET6371853192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:11.750356913 CET53637188.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:17.943790913 CET6211653192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:17.956743002 CET53621168.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:20.021786928 CET6381653192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:20.039413929 CET53638168.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:24.259593964 CET5501453192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:24.272880077 CET53550148.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:26.774240017 CET6220853192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:26.787739038 CET53622088.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:27.379511118 CET5757453192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:27.400059938 CET53575748.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:27.940001011 CET5181853192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:27.951958895 CET53518188.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:28.613869905 CET5662853192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:28.626753092 CET53566288.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:29.067420959 CET6077853192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:29.080293894 CET53607788.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:29.509764910 CET5379953192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:29.522228003 CET53537998.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:30.487044096 CET5468353192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:30.499699116 CET53546838.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:30.681929111 CET5932953192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:30.715142965 CET53593298.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:31.432158947 CET6402153192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:31.446798086 CET53640218.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:32.100343943 CET5612953192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:32.266587019 CET53561298.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:32.503792048 CET5817753192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:32.516326904 CET53581778.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:32.979120970 CET5070053192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:32.992527008 CET53507008.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:39.167280912 CET5406953192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:39.337960005 CET53540698.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:40.697551966 CET6117853192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:40.716012955 CET53611788.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:46.362746000 CET5701753192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:46.375458002 CET53570178.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:58:53.114048958 CET5632753192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:58:53.126672029 CET53563278.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:59:00.165194035 CET5024353192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:59:00.178086996 CET53502438.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:59:05.285968065 CET6205553192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:59:05.299699068 CET53620558.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:59:11.865730047 CET6124953192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:59:11.879116058 CET53612498.8.8.8192.168.2.6
                                                  Feb 24, 2021 12:59:16.899044991 CET6525253192.168.2.68.8.8.8
                                                  Feb 24, 2021 12:59:16.913017035 CET53652528.8.8.8192.168.2.6

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Feb 24, 2021 12:57:47.524568081 CET192.168.2.68.8.8.80x11e7Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:57:57.713361979 CET192.168.2.68.8.8.80x552aStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:04.647655964 CET192.168.2.68.8.8.80xf647Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:11.736670971 CET192.168.2.68.8.8.80xe229Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:17.943790913 CET192.168.2.68.8.8.80xb1bbStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:24.259593964 CET192.168.2.68.8.8.80x2f7fStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:32.100343943 CET192.168.2.68.8.8.80x8851Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:39.167280912 CET192.168.2.68.8.8.80x1196Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:46.362746000 CET192.168.2.68.8.8.80x59dbStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:53.114048958 CET192.168.2.68.8.8.80x7c93Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:59:00.165194035 CET192.168.2.68.8.8.80x5875Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:59:05.285968065 CET192.168.2.68.8.8.80x6886Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:59:11.865730047 CET192.168.2.68.8.8.80xf877Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:59:16.899044991 CET192.168.2.68.8.8.80xcaa8Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Feb 24, 2021 12:57:47.687066078 CET8.8.8.8192.168.2.60x11e7No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:57:57.891199112 CET8.8.8.8192.168.2.60x552aNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:04.662698030 CET8.8.8.8192.168.2.60xf647No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:11.750356913 CET8.8.8.8192.168.2.60xe229No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:17.956743002 CET8.8.8.8192.168.2.60xb1bbNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:24.272880077 CET8.8.8.8192.168.2.60x2f7fNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:32.266587019 CET8.8.8.8192.168.2.60x8851No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:39.337960005 CET8.8.8.8192.168.2.60x1196No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:46.375458002 CET8.8.8.8192.168.2.60x59dbNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:58:53.126672029 CET8.8.8.8192.168.2.60x7c93No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:59:00.178086996 CET8.8.8.8192.168.2.60x5875No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:59:05.299699068 CET8.8.8.8192.168.2.60x6886No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:59:11.879116058 CET8.8.8.8192.168.2.60xf877No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                                  Feb 24, 2021 12:59:16.913017035 CET8.8.8.8192.168.2.60xcaa8No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)

                                                  Code Manipulations

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  Analysis Process: BILLING INVOICE.pdf.exe PID: 6836 Parent PID: 5856

                                                  General

                                                  Start time:12:57:13
                                                  Start date:24/02/2021
                                                  Path:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\Desktop\BILLING INVOICE.pdf.exe'
                                                  Imagebase:0x550000
                                                  File size:381440 bytes
                                                  MD5 hash:2374BB6B2675413F13A74466B9325B97
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.403279843.0000000003849000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.403279843.0000000003849000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.403279843.0000000003849000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: schtasks.exe PID: 4692 Parent PID: 6836

                                                  General

                                                  Start time:12:57:40
                                                  Start date:24/02/2021
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmp7646.tmp'
                                                  Imagebase:0x1290000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: conhost.exe PID: 6292 Parent PID: 4692

                                                  General

                                                  Start time:12:57:41
                                                  Start date:24/02/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff61de10000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: BILLING INVOICE.pdf.exe PID: 6552 Parent PID: 6836

                                                  General

                                                  Start time:12:57:41
                                                  Start date:24/02/2021
                                                  Path:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0xfd0000
                                                  File size:381440 bytes
                                                  MD5 hash:2374BB6B2675413F13A74466B9325B97
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: schtasks.exe PID: 5556 Parent PID: 6552

                                                  General

                                                  Start time:12:57:44
                                                  Start date:24/02/2021
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp243E.tmp'
                                                  Imagebase:0x1290000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: conhost.exe PID: 6556 Parent PID: 5556

                                                  General

                                                  Start time:12:57:44
                                                  Start date:24/02/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff61de10000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: BILLING INVOICE.pdf.exe PID: 6428 Parent PID: 936

                                                  General

                                                  Start time:12:57:46
                                                  Start date:24/02/2021
                                                  Path:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\Desktop\BILLING INVOICE.pdf.exe' 0
                                                  Imagebase:0x680000
                                                  File size:381440 bytes
                                                  MD5 hash:2374BB6B2675413F13A74466B9325B97
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.474284915.0000000003A99000.00000004.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.474284915.0000000003A99000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.474284915.0000000003A99000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: schtasks.exe PID: 7084 Parent PID: 6428

                                                  General

                                                  Start time:12:58:09
                                                  Start date:24/02/2021
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ihNagUDDVeQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpE53C.tmp'
                                                  Imagebase:0x1290000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: conhost.exe PID: 7032 Parent PID: 7084

                                                  General

                                                  Start time:12:58:11
                                                  Start date:24/02/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff61de10000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: BILLING INVOICE.pdf.exe PID: 7132 Parent PID: 6428

                                                  General

                                                  Start time:12:58:12
                                                  Start date:24/02/2021
                                                  Path:C:\Users\user\Desktop\BILLING INVOICE.pdf.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0xdd0000
                                                  File size:381440 bytes
                                                  MD5 hash:2374BB6B2675413F13A74466B9325B97
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.483963807.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.485784066.0000000003161000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.485969919.0000000004169000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.485969919.0000000004169000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                  Reputation:low

                                                  Chronological Activities

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >

                                                    Analysis Process: BILLING INVOICE.pdf.exe PID: 6836 Parent PID: 5856 BILLING INVOICE.pdf.exeCOMMON

                                                    Executed Functions

                                                    Function 06F73E4E, Relevance: .3, Instructions: 303COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.420181536.0000000006F70000.00000040.00000001.sdmp, Offset: 06F70000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8f964940c4655425a41a12581583385867d0a1fd1b7b1355ed485b347bdf956
                                                    • Instruction ID: 11dc62079d17b33b8a0e57148e6c2ad8c9795d001452a33597a006abc8e341d0
                                                    • Opcode Fuzzy Hash: d8f964940c4655425a41a12581583385867d0a1fd1b7b1355ed485b347bdf956
                                                    • Instruction Fuzzy Hash: 7AC13A76D4922DDFEBA4DF64D9447FDB7B4EB4A305F10A1AAC009A2250D7344A88DF84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04EC0670, Relevance: 1.8, APIs: 1, Instructions: 291COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04EC08E2
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.406417195.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 258acd1b889787a2a802ff46fb1f06dc34f260ba92a7ae84156422992cf249d2
                                                    • Instruction ID: 3343df654b7312c32ddce4a6be785a6b313c29254d7e3569e60aaa510a8cfe83
                                                    • Opcode Fuzzy Hash: 258acd1b889787a2a802ff46fb1f06dc34f260ba92a7ae84156422992cf249d2
                                                    • Instruction Fuzzy Hash: 25A179B1C093889FDB12CFA4C9909D9BFB1FF4A354F16859EE444AB262D734A806CF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06F79F10, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 06F7A063
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.420181536.0000000006F70000.00000040.00000001.sdmp, Offset: 06F70000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 62b392f6fcc948c20d05b2c269defc1bccec7844e74f9bc6ad3498bf160aba43
                                                    • Instruction ID: 4ef9e5f7196f4d6e14f6e79443a0158e76af4c5c72b3af754889d93919e4bc03
                                                    • Opcode Fuzzy Hash: 62b392f6fcc948c20d05b2c269defc1bccec7844e74f9bc6ad3498bf160aba43
                                                    • Instruction Fuzzy Hash: DB511571D04328DFDB60DF99D880BDDBBB6BF48314F15809AE908A7250DB759A88CF61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04EC07C4, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04EC08E2
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.406417195.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 3fa6bda833a0dd7d7d9291beadfa504dc26608104148926cc03ea49e772e1af4
                                                    • Instruction ID: aa20251f4f397a033e144913dfb9332504187fad56e4e7d2e4d5fb8ea517cf1c
                                                    • Opcode Fuzzy Hash: 3fa6bda833a0dd7d7d9291beadfa504dc26608104148926cc03ea49e772e1af4
                                                    • Instruction Fuzzy Hash: 7851D3B1D00349DFDB14CFA9C984ADEBBB5FF88314F24812AE819AB250D775A845CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04EC07D0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04EC08E2
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.406417195.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 12ce1ffcaffb50e40b509fdf721bd8a84bd39b2c16b88f4a7544b73e236481af
                                                    • Instruction ID: 2fe4b73a3c47ae16a489b2384e21f5ba82bfd7c8fbad7f66b59b11e4e3c51804
                                                    • Opcode Fuzzy Hash: 12ce1ffcaffb50e40b509fdf721bd8a84bd39b2c16b88f4a7544b73e236481af
                                                    • Instruction Fuzzy Hash: 2741C0B1D00349DFDB14CF99C984ADEBBB5FF88314F24822AE819AB210D775A845CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04EC2D90, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 04EC2E51
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.406417195.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: b34ca1efebdf1d375b634f9ae0a756b13dee093f96a553308c0dc7c894ca74b3
                                                    • Instruction ID: 6fa10703e8b814ef2c976d14a833d5927760b1fe6d8de052dad677186d1870e1
                                                    • Opcode Fuzzy Hash: b34ca1efebdf1d375b634f9ae0a756b13dee093f96a553308c0dc7c894ca74b3
                                                    • Instruction Fuzzy Hash: 05414BB4A00205CFDB15CF99C448AAABBF5FF88314F15C49DE519A7321D734A842CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06F7A390, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F7A41D
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.420181536.0000000006F70000.00000040.00000001.sdmp, Offset: 06F70000, based on PE: false
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: fa15a22299b69cfb097cd2a8be1df568746decb9227fed596694c5eceb4cf461
                                                    • Instruction ID: a3d01b6f52e3dd3dc8bad804b631e366c14fa6b5b7cbe3dd479441f50d4f630a
                                                    • Opcode Fuzzy Hash: fa15a22299b69cfb097cd2a8be1df568746decb9227fed596694c5eceb4cf461
                                                    • Instruction Fuzzy Hash: 6921E4B19002599FCB50CFAAD985BDEBBF4FB48314F10852AE918A3350D779A944CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06F7A218, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F7A297
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.420181536.0000000006F70000.00000040.00000001.sdmp, Offset: 06F70000, based on PE: false
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 651a66859e42eb12eb140f419d8b9787cb42af27947b6f9934d32f1c4ccf045a
                                                    • Instruction ID: b14028a2a92352dd3e6e8bae449d69b2da082c26d5b4339c3d22f9bf1c7edac9
                                                    • Opcode Fuzzy Hash: 651a66859e42eb12eb140f419d8b9787cb42af27947b6f9934d32f1c4ccf045a
                                                    • Instruction Fuzzy Hash: D321E2B59002599FCB10CF9AD984BDEBBF8FB48320F10842AE918A3250D379A544CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06F7A158, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 06F7A1CF
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.420181536.0000000006F70000.00000040.00000001.sdmp, Offset: 06F70000, based on PE: false
                                                    Similarity
                                                    • API ID: ContextThread
                                                    • String ID:
                                                    • API String ID: 1591575202-0
                                                    • Opcode ID: 4d7592b39a9b487b050cb13a81183d7ea6a8e58bd754457cd5c4e747c703497d
                                                    • Instruction ID: e21e12ef987401cf0ae6872b0f9000d807461828c5416759d94eaea077212f62
                                                    • Opcode Fuzzy Hash: 4d7592b39a9b487b050cb13a81183d7ea6a8e58bd754457cd5c4e747c703497d
                                                    • Instruction Fuzzy Hash: D62106B1D006199FDB10CF9AD9857EEFBF8BB48224F15812AE418A3340D778A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06F7A2E8, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F7A353
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.420181536.0000000006F70000.00000040.00000001.sdmp, Offset: 06F70000, based on PE: false
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 571238d00d6a7dd73884d55b291d737454b7eeee43f966aa7e172751e2d46184
                                                    • Instruction ID: 4bf05d70a2e4b6790d23d8aba4fe0b09611de88751f4306e31ed90f182525b56
                                                    • Opcode Fuzzy Hash: 571238d00d6a7dd73884d55b291d737454b7eeee43f966aa7e172751e2d46184
                                                    • Instruction Fuzzy Hash: AE1125B58002489FCB10CF9AD884BDEBBF8FB48324F14841AE528A7250C335A544CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06F72FC8, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06F7BD7D
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.420181536.0000000006F70000.00000040.00000001.sdmp, Offset: 06F70000, based on PE: false
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 7e4a6e52f201825d4f1b53e0442e315a3c783aae2bcca1f29ae263d933ab1e51
                                                    • Instruction ID: 18c562cf4de8da32ebcc57819d8d02b0db019f1fd395d59d7e90f22cd43f4092
                                                    • Opcode Fuzzy Hash: 7e4a6e52f201825d4f1b53e0442e315a3c783aae2bcca1f29ae263d933ab1e51
                                                    • Instruction Fuzzy Hash: 4F1106B58003499FDB10DF99D884BDEBBF8EB49324F14845AE514B7300D375A944CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04EC0A10, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 04EC0A75
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.406417195.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: ece4fb09a169d1fb4da05168919d1bdd7dff21b503c63386657a27ba793d877e
                                                    • Instruction ID: dccbb8e13ad97396074ac0293f6da7bf0deb18fa6b585207502b3e184c6d5182
                                                    • Opcode Fuzzy Hash: ece4fb09a169d1fb4da05168919d1bdd7dff21b503c63386657a27ba793d877e
                                                    • Instruction Fuzzy Hash: A11133B5800249CFDB10DF99D984BEEBBF8EB48324F20851AE458A7340C379A945CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04EC0A18, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 04EC0A75
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.406417195.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: 16b2d4040dca998553487fd654cb83e6ca8fcbe19238b19bcb8fa6d4b5ff1e58
                                                    • Instruction ID: 5094c9cd8fc7c6daf44dc6c13464df1aad6394f245e0e27761a6be3b4f2d4d9f
                                                    • Opcode Fuzzy Hash: 16b2d4040dca998553487fd654cb83e6ca8fcbe19238b19bcb8fa6d4b5ff1e58
                                                    • Instruction Fuzzy Hash: 411112B5800248CFDB10CF9AD984BDEBBF8EB48324F10851AE958A3340D379A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06F7A468, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.420181536.0000000006F70000.00000040.00000001.sdmp, Offset: 06F70000, based on PE: false
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 092d289ae1f74e250472ad1abd5a14e0f42021b6d62de7d9c57b659d84dc54c0
                                                    • Instruction ID: 5e2fe404b8261973f1a54229ad7c2785cc026beb0a4cc540c8ca17dea90f2a00
                                                    • Opcode Fuzzy Hash: 092d289ae1f74e250472ad1abd5a14e0f42021b6d62de7d9c57b659d84dc54c0
                                                    • Instruction Fuzzy Hash: E11115B18002488FCB10DF9AD984BDEBBF8FB48324F10845AD519A3340D775A544CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 005A8D28, Relevance: 1.4, Strings: 1, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.399614884.0000000000552000.00000002.00020000.sdmp, Offset: 00550000, based on PE: true
                                                    • Associated: 00000001.00000002.399601095.0000000000550000.00000002.00020000.sdmp Download File
                                                    • Associated: 00000001.00000002.399686400.00000000005B0000.00000002.00020000.sdmp Download File
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2
                                                    • API String ID: 0-1017134386
                                                    • Opcode ID: 8a10120f33a68daad9577ec0f637340cf781d4c40594b02db62cd31c70db6a0c
                                                    • Instruction ID: 5460260fd0658d66aba72920d89153c39b77db5fbbf9aa83764c6c204771b746
                                                    • Opcode Fuzzy Hash: 8a10120f33a68daad9577ec0f637340cf781d4c40594b02db62cd31c70db6a0c
                                                    • Instruction Fuzzy Hash: 8B51255154E3C16FDB138B741CB18E6BFB09E5320431D5ADFE4C48F4A3D15886AAE792
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06F7417F, Relevance: .2, Instructions: 162COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.420181536.0000000006F70000.00000040.00000001.sdmp, Offset: 06F70000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 68c6409b14bfacb1c06c6c4481e33cef728bd9102f1833530547cd55e5b377e6
                                                    • Instruction ID: 7ecb6bb0858e75afb0726b22e6a0cab7329d462cfcdda05fcdce01400bae286d
                                                    • Opcode Fuzzy Hash: 68c6409b14bfacb1c06c6c4481e33cef728bd9102f1833530547cd55e5b377e6
                                                    • Instruction Fuzzy Hash: AB51A775E5460AAFEB80CEAED8053AD77F5EB45200F24C5A6D80AD7754D678DA028F40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06F74190, Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.420181536.0000000006F70000.00000040.00000001.sdmp, Offset: 06F70000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 87acc48bfe5321f37337653016d03fb8c168e8774f4a0df8bc4fdd5e3e177e8a
                                                    • Instruction ID: 82092a969ef5fb6621aec829d5cbf277f2884b2594ed7e8c9d3cc457aea29dd8
                                                    • Opcode Fuzzy Hash: 87acc48bfe5321f37337653016d03fb8c168e8774f4a0df8bc4fdd5e3e177e8a
                                                    • Instruction Fuzzy Hash: C4419675E5450EAFABC4CEAEC4062BD77F5EB88340F64D966D40ADB754D638CA028F80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06F76F40, Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.420181536.0000000006F70000.00000040.00000001.sdmp, Offset: 06F70000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4b97d63337d539bbe20f0f4aeb47a22149b21d1b7dfc231af48cfd5f6629611f
                                                    • Instruction ID: b7a4423d901b94e5380f877c9995374d116d2315b389e2a9ff4559fd6cbb7837
                                                    • Opcode Fuzzy Hash: 4b97d63337d539bbe20f0f4aeb47a22149b21d1b7dfc231af48cfd5f6629611f
                                                    • Instruction Fuzzy Hash: 5B313771E20509AFDB84DE79C84119E77B2FB88240B59D966D01AEB344E73ADA42CF80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Analysis Process: BILLING INVOICE.pdf.exe PID: 6428 Parent PID: 936 BILLING INVOICE.pdf.exeCOMMON

                                                    Executed Functions

                                                    Function 06CA9F10, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 06CAA063
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.480802654.0000000006CA0000.00000040.00000001.sdmp, Offset: 06CA0000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: dac9ef85687d31dc25b28b4a413da73bc1b5e10d5e9f1ed4f5acb8bb791b1e11
                                                    • Instruction ID: c304ae57334a1a3c7bae8208e62db644eb07edf9fa436f7beb1db99279542dff
                                                    • Opcode Fuzzy Hash: dac9ef85687d31dc25b28b4a413da73bc1b5e10d5e9f1ed4f5acb8bb791b1e11
                                                    • Instruction Fuzzy Hash: A8510471D00329DFDB60CF99D880BDDBBB6BF48314F15809AE948A7250DB759A88CF61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06CAA390, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CAA41D
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.480802654.0000000006CA0000.00000040.00000001.sdmp, Offset: 06CA0000, based on PE: false
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 16bf464f896c929fd4187609ee498dd63b837da4b542b479c667fd2b0764ce90
                                                    • Instruction ID: b71090939d9ce78cd3e012d42cbdbe4ebe15a48cf77d2781fd5c340dff0ecf51
                                                    • Opcode Fuzzy Hash: 16bf464f896c929fd4187609ee498dd63b837da4b542b479c667fd2b0764ce90
                                                    • Instruction Fuzzy Hash: F421E4B19003599FCB10CF9AD885BDEBBF4FB48314F10842AE919A7340D778A944CBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06CAA218, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CAA297
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.480802654.0000000006CA0000.00000040.00000001.sdmp, Offset: 06CA0000, based on PE: false
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 58e52f10542c497a939b9c7ab5e27638c78ace4b06bfae2d99ba640ec11a125b
                                                    • Instruction ID: 9fa3fcba5a49749ab8c22b1310b103e061d4fcec55dd8eaed43d2636f0207c5d
                                                    • Opcode Fuzzy Hash: 58e52f10542c497a939b9c7ab5e27638c78ace4b06bfae2d99ba640ec11a125b
                                                    • Instruction Fuzzy Hash: B021E2B19003599FCB10CF9AD884BDEBBF4FB48324F10842AE918A7250D379A554CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06CAA158, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetThreadContext.KERNELBASE(?,00000000), ref: 06CAA1CF
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.480802654.0000000006CA0000.00000040.00000001.sdmp, Offset: 06CA0000, based on PE: false
                                                    Similarity
                                                    • API ID: ContextThread
                                                    • String ID:
                                                    • API String ID: 1591575202-0
                                                    • Opcode ID: effa01bbe4ff44d4566db419847a6f904e8700c52222b9c8338cc21933e89b05
                                                    • Instruction ID: 0a882c76faf0fdac4dc1b5a30e21623419e79bafe7a423ba2bf08470fed9783b
                                                    • Opcode Fuzzy Hash: effa01bbe4ff44d4566db419847a6f904e8700c52222b9c8338cc21933e89b05
                                                    • Instruction Fuzzy Hash: 242108B1D0065A9FCB50CF9AC9857EEFBF4FB48224F148129D518A7340D778A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06CAA2E8, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CAA353
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.480802654.0000000006CA0000.00000040.00000001.sdmp, Offset: 06CA0000, based on PE: false
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 49be54b03da749fed8ec529b18d9661a3e23331feab797adc6192aebd004111b
                                                    • Instruction ID: a373c72d9a3e56e7d1154135dfb347cd8fefca3f86219c89bd70e0d74108648c
                                                    • Opcode Fuzzy Hash: 49be54b03da749fed8ec529b18d9661a3e23331feab797adc6192aebd004111b
                                                    • Instruction Fuzzy Hash: E71122B68002499FCB20CF9AD884BDEBBF8FB48324F108419E529A7210C335A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06CA2FC8, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 06CABD7D
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.480802654.0000000006CA0000.00000040.00000001.sdmp, Offset: 06CA0000, based on PE: false
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: b850dd3f02cbcf2c5a5f90fb9a4c408ffbf1947215a3c8ec0f2bd3858a89eddd
                                                    • Instruction ID: 9f69480fa3b23b87ff763cc36792184ac527be7d802783298579274d0c810fd2
                                                    • Opcode Fuzzy Hash: b850dd3f02cbcf2c5a5f90fb9a4c408ffbf1947215a3c8ec0f2bd3858a89eddd
                                                    • Instruction Fuzzy Hash: 3A11F5B58007499FDB60DF99D884BEEBBF8EB48324F108459E915A7700D375A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 06CAA468, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.480802654.0000000006CA0000.00000040.00000001.sdmp, Offset: 06CA0000, based on PE: false
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 3d21512ec0400d9febd079e407cabd0657d1ecf7f16bcf49fb6f99dcbd576f64
                                                    • Instruction ID: 204f5181e2a46eb55c5c43a3c36da9d0e9f213ece5e9e2e508a929a7db403444
                                                    • Opcode Fuzzy Hash: 3d21512ec0400d9febd079e407cabd0657d1ecf7f16bcf49fb6f99dcbd576f64
                                                    • Instruction Fuzzy Hash: EA1115B18002498FCB10DF9AD884BDEBBF8EB48324F10845AD519A7340C775A544CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Analysis Process: BILLING INVOICE.pdf.exe PID: 7132 Parent PID: 6428 BILLING INVOICE.pdf.exeCOMMON

                                                    Executed Functions

                                                    Function 0300B6C0, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0300B730
                                                    • GetCurrentThread.KERNEL32 ref: 0300B76D
                                                    • GetCurrentProcess.KERNEL32 ref: 0300B7AA
                                                    • GetCurrentThreadId.KERNEL32 ref: 0300B803
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485500367.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 7284453184f5f45cee63250928ac2d6d58453312538cd1f63600e06fb2177ee0
                                                    • Instruction ID: 59ec896cf8dcd11b89e5ad7ff7bfbf9256e925053fd5e5b301980d1cd6679907
                                                    • Opcode Fuzzy Hash: 7284453184f5f45cee63250928ac2d6d58453312538cd1f63600e06fb2177ee0
                                                    • Instruction Fuzzy Hash: 575165B49012488FEB14DFA9D688BDEBBF4FF48314F208459E019B7390D7359844CB65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0300B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0300B730
                                                    • GetCurrentThread.KERNEL32 ref: 0300B76D
                                                    • GetCurrentProcess.KERNEL32 ref: 0300B7AA
                                                    • GetCurrentThreadId.KERNEL32 ref: 0300B803
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485500367.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 781a7256e20db9596fdbe7dd2cb2f2d01d4c876c2a8677f2ccb102d1e48e66b9
                                                    • Instruction ID: b60fc0079a6cd4f9eee650e0c794df94fa8e7bd795cb1b479c21ae5224c281ca
                                                    • Opcode Fuzzy Hash: 781a7256e20db9596fdbe7dd2cb2f2d01d4c876c2a8677f2ccb102d1e48e66b9
                                                    • Instruction Fuzzy Hash: F45165B49012488FEB14DFAADA88BDEBBF4BF48314F248459E019B7390D7359884CF65
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 030093E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0300962E
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485500367.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: d3e70c7fa295ac2e2b224ffe45357829efc6d04074a8b14dc14b81ecff55c808
                                                    • Instruction ID: d65bb83fc921ce98b6bc514bb955ab0a7e40c74e991d0667e534366daf7b490e
                                                    • Opcode Fuzzy Hash: d3e70c7fa295ac2e2b224ffe45357829efc6d04074a8b14dc14b81ecff55c808
                                                    • Instruction Fuzzy Hash: BC712370A01B058FE764DF2AD440B9BB7F5FF88214F04892DE58ADBA90DB35E845CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0300FB81, Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0300FD0A
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485500367.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 574fa4e6bb37ecac68a7f3e16fbd253159056f4d2051db80af9b8999cb4ab37a
                                                    • Instruction ID: b3bd8e44974f3da7b3247bcd4572436231b9f1687267f2584e3b460b3e54c353
                                                    • Opcode Fuzzy Hash: 574fa4e6bb37ecac68a7f3e16fbd253159056f4d2051db80af9b8999cb4ab37a
                                                    • Instruction Fuzzy Hash: 6E5100B1D043499FDF14CFA9D880ACEBBB1FF88314F24812AE818AB251D7709945CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0300FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0300FD0A
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485500367.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 56db3bc5ace95c63b2e2de73de4840b3b8697db8b16257973075f1bafe5771e2
                                                    • Instruction ID: df24d389ed8ceda272f6f1c9d6d637f9698e5550daee3f140e9b78d4ac3875cd
                                                    • Opcode Fuzzy Hash: 56db3bc5ace95c63b2e2de73de4840b3b8697db8b16257973075f1bafe5771e2
                                                    • Instruction Fuzzy Hash: D641B0B1D003099FDB24CF9AD884ADEFBB5FF88314F24812AE819AB250D7759945CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0300BCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0300BD87
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485500367.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: a1085f0e804bf2d537048d7136f754a589d4950535f20fffa3ad7d5d3f7e041e
                                                    • Instruction ID: fd00d087cfb48dfcd2ab03d070a5a8816e278ffb4bc1ef8f6f8dbb29b975d023
                                                    • Opcode Fuzzy Hash: a1085f0e804bf2d537048d7136f754a589d4950535f20fffa3ad7d5d3f7e041e
                                                    • Instruction Fuzzy Hash: 4A21E3B59002489FDB10CFA9D984AEEFBF4FB48324F14841AE918A7350D378AA54CF61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0300BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0300BD87
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485500367.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 3277d3962c13f48429fd430f466328ce73fb0a0b3beda43d7371f5a07fa835d1
                                                    • Instruction ID: 827ed50b86569e8b568e7d1507be53633e51406e6da8b767cbd5997809cfbb0d
                                                    • Opcode Fuzzy Hash: 3277d3962c13f48429fd430f466328ce73fb0a0b3beda43d7371f5a07fa835d1
                                                    • Instruction Fuzzy Hash: 7D21D5B59012489FDB10CFAAD984ADEFBF8FB48324F14841AE914A3350D779A954CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 03008768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,030096A9,00000800,00000000,00000000), ref: 030098BA
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485500367.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 4486a7a723f93d7d99a534259cc3d17fb8f7f63d23bc13f9af6a911ebf6593ae
                                                    • Instruction ID: 10159ce4934941de7fd7dfeebbeca093eeb7bfe0911274bb4871810cf4b2ebc5
                                                    • Opcode Fuzzy Hash: 4486a7a723f93d7d99a534259cc3d17fb8f7f63d23bc13f9af6a911ebf6593ae
                                                    • Instruction Fuzzy Hash: 3B1133B29002088FDB10CF9AD484BDEFBF4EB48320F14842AE519B7340C375A944CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 03009849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,030096A9,00000800,00000000,00000000), ref: 030098BA
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485500367.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 1cd744f180e4777a4a0d3af30cc4bb0797cdb64238ed2b34b1a97af240977f30
                                                    • Instruction ID: 732eb7b635cab93ee97dfa0baa7ea7e98700b856d115cd47372ff6a3347e486a
                                                    • Opcode Fuzzy Hash: 1cd744f180e4777a4a0d3af30cc4bb0797cdb64238ed2b34b1a97af240977f30
                                                    • Instruction Fuzzy Hash: E51114B6D013098FDB10CF9AD484AEEFBF4EB88324F14842AE415A7350C775A945CFA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 030095C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0300962E
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485500367.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 8662c7aa70170ffe755d325a0ff8ee7ef605cae20579a9e32339e4072ea4511a
                                                    • Instruction ID: bbe7d39083a3cc21eee2f8d204344668140d15fecf8d9d90507553217ec2d953
                                                    • Opcode Fuzzy Hash: 8662c7aa70170ffe755d325a0ff8ee7ef605cae20579a9e32339e4072ea4511a
                                                    • Instruction Fuzzy Hash: 3B1113B1C006498FDB10CF9AD444BDEFBF4EB88224F14841AD419A7250D375A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0300FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 0300FE9D
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485500367.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: 14c5fa7a7485634747ba04f371a65c532c7494cd2892bf44d8b38f96e20b20d6
                                                    • Instruction ID: 49555b8bc535b62e347df79e67dfdb97247ac90df9c318c5c4ca378c342dee69
                                                    • Opcode Fuzzy Hash: 14c5fa7a7485634747ba04f371a65c532c7494cd2892bf44d8b38f96e20b20d6
                                                    • Instruction Fuzzy Hash: A411F5B59002499FDB20DF99D585BDEFBF8EB48324F20841AE814A3340D375A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0300FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 0300FE9D
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485500367.0000000003000000.00000040.00000001.sdmp, Offset: 03000000, based on PE: false
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: 8d4664dae5dac65c2366bb00a11719843404f973e8fa12b4d05c03e2918a389d
                                                    • Instruction ID: 06bee016eee3025e9b7cb8c45c1cf6ddefc476f5d5659c70fabb54743372a2b1
                                                    • Opcode Fuzzy Hash: 8d4664dae5dac65c2366bb00a11719843404f973e8fa12b4d05c03e2918a389d
                                                    • Instruction Fuzzy Hash: AB1115B58002498FDB20DF9AD584BDFFBF8EB48324F20841AE814A3340C375A944CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015FD4A0, Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485028056.00000000015FD000.00000040.00000001.sdmp, Offset: 015FD000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 34d1ebcaf982bcc43aa69c21bcb2cbb73af398ad1ccb6788a0969d6fa66090ff
                                                    • Instruction ID: 2986fa543c16b0198fdcb19fe686c60388079ed3564e23dd0c11539d19125d50
                                                    • Opcode Fuzzy Hash: 34d1ebcaf982bcc43aa69c21bcb2cbb73af398ad1ccb6788a0969d6fa66090ff
                                                    • Instruction Fuzzy Hash: D12106B1504244DFDB01DF54D9C4B2ABFB5FB88328F24856DEA054F246C336D855C7A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0160D01C, Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485086910.000000000160D000.00000040.00000001.sdmp, Offset: 0160D000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f2733c31341fabbdd354076851c8601a715eb3a2c8f1de8feeed29c8f6dc082b
                                                    • Instruction ID: 22bd4d1190aa772b092a38de082fb5ad192222b10ef1d039093b9499621b22e8
                                                    • Opcode Fuzzy Hash: f2733c31341fabbdd354076851c8601a715eb3a2c8f1de8feeed29c8f6dc082b
                                                    • Instruction Fuzzy Hash: D221C1716082409FDB1ADF94DDC0B27BB65EB88254F24C669E90A4B386C736D847CA61
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0160D006, Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485086910.000000000160D000.00000040.00000001.sdmp, Offset: 0160D000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bbcb4f967ddd420aa2f2467bebf36d50f2d441577cf5132f8dec6c0f41621d73
                                                    • Instruction ID: 07a41160d3afbaadba50d595a9edb5e8616441e00a0c39f596f273f15312495a
                                                    • Opcode Fuzzy Hash: bbcb4f967ddd420aa2f2467bebf36d50f2d441577cf5132f8dec6c0f41621d73
                                                    • Instruction Fuzzy Hash: A82192755093808FCB07CF64D990716BF71EB46214F28C6DAD8498B697C33A980ACB62
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 015FD49B, Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.485028056.00000000015FD000.00000040.00000001.sdmp, Offset: 015FD000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1bfb3aba2a15877e7bcd26e2822cbb8c2d677bd236deaf3f1958028af9bb876d
                                                    • Instruction ID: beb1b0fc0d3be6103d3db4a51b9b82842bc40286607ed019ff21cac10f49fee5
                                                    • Opcode Fuzzy Hash: 1bfb3aba2a15877e7bcd26e2822cbb8c2d677bd236deaf3f1958028af9bb876d
                                                    • Instruction Fuzzy Hash: 0C11B176804280CFDB12CF54D9C4B1ABF71FB84328F2486ADD9050B657C33AD45ACBA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions