Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Items_02559-02663.pdf.exe

Overview

General Information

Sample Name:Items_02559-02663.pdf.exe
Analysis ID:357332
MD5:69b99b73945755df4628529e5a1bf6f8
SHA1:0b4a98cf7c2cf5f1fb3480736a602ebe4bbb9746
SHA256:0a31dde9dd611de5afef82eac6581588c5d8b034106a1f4eac68958b8bd526c2
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Items_02559-02663.pdf.exe (PID: 1680 cmdline: 'C:\Users\user\Desktop\Items_02559-02663.pdf.exe' MD5: 69B99B73945755DF4628529E5A1BF6F8)
    • schtasks.exe (PID: 1900 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Items_02559-02663.pdf.exe (PID: 1440 cmdline: {path} MD5: 69B99B73945755DF4628529E5A1BF6F8)
      • schtasks.exe (PID: 5716 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Items_02559-02663.pdf.exe (PID: 472 cmdline: C:\Users\user\Desktop\Items_02559-02663.pdf.exe 0 MD5: 69B99B73945755DF4628529E5A1BF6F8)
    • schtasks.exe (PID: 5688 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA1E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "063b6e17-4321-4269-bf57-df94b570da06", "Group": "GIFT", "Domain1": "wilsonzz.webredirect.org", "Domain2": "thanks001.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1085d:$x1: NanoCore.ClientPluginHost
    • 0xff29d:$x1: NanoCore.ClientPluginHost
    • 0x1089a:$x2: IClientNetworkHost
    • 0xff2da:$x2: IClientNetworkHost
    • 0x143cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x102e0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.Items_02559-02663.pdf.exe.2df1408.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x6da5:$x1: NanoCore.ClientPluginHost
      • 0x6dd2:$x2: IClientNetworkHost
      4.2.Items_02559-02663.pdf.exe.2df1408.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x6da5:$x2: NanoCore.ClientPluginHost
      • 0x7d74:$s2: FileCommand
      • 0xc776:$s4: PipeCreated
      • 0x6dbf:$s5: IClientLoggingHost
      7.2.Items_02559-02663.pdf.exe.48396d0.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      7.2.Items_02559-02663.pdf.exe.48396d0.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      7.2.Items_02559-02663.pdf.exe.48396d0.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 47 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Items_02559-02663.pdf.exe, ProcessId: 1440, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Items_02559-02663.pdf.exe' , ParentImage: C:\Users\user\Desktop\Items_02559-02663.pdf.exe, ParentProcessId: 1680, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp', ProcessId: 1900
        Sigma detected: Suspicious Double ExtensionShow sources
        Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Items_02559-02663.pdf.exe, NewProcessName: C:\Users\user\Desktop\Items_02559-02663.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Items_02559-02663.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\Items_02559-02663.pdf.exe' , ParentImage: C:\Users\user\Desktop\Items_02559-02663.pdf.exe, ParentProcessId: 1680, ProcessCommandLine: {path}, ProcessId: 2920

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "063b6e17-4321-4269-bf57-df94b570da06", "Group": "GIFT", "Domain1": "wilsonzz.webredirect.org", "Domain2": "thanks001.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exeReversingLabs: Detection: 23%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Items_02559-02663.pdf.exeReversingLabs: Detection: 23%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORY
        Source: Yara matchFile source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Items_02559-02663.pdf.exeJoe Sandbox ML: detected
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: Items_02559-02663.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: Items_02559-02663.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49709 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49710 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49711 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49712 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49714 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49715 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49716 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49717 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49718 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49719 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49720 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49721 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49722 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49723 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49724 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49725 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49726 -> 89.163.237.88:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49727 -> 89.163.237.88:9036
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: thanks001.ddns.net
        Source: Malware configuration extractorURLs: wilsonzz.webredirect.org
        Source: global trafficTCP traffic: 192.168.2.4:49709 -> 89.163.237.88:9036
        Source: Joe Sandbox ViewASN Name: MYLOC-ASIPBackboneofmyLocmanagedITAGDE MYLOC-ASIPBackboneofmyLocmanagedITAGDE
        Source: unknownDNS traffic detected: queries for: wilsonzz.webredirect.org
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: http://google.com
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.684003114.0000000002C1F000.00000004.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.720737165.0000000003361000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: Items_02559-02663.pdf.exe, 00000000.00000003.650108891.0000000000C7B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.681552710.00000000009A8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Items_02559-02663.pdf.exe, 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORY
        Source: Yara matchFile source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.Items_02559-02663.pdf.exe.3249628.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.Items_02559-02663.pdf.exe.2dbe8d4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.Items_02559-02663.pdf.exe.2dbe8d4.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Items_02559-02663.pdf.exe
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 0_2_00C4C1340_2_00C4C134
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 0_2_00C4E56A0_2_00C4E56A
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 0_2_00C4E5780_2_00C4E578
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 0_2_071A60100_2_071A6010
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 0_2_071A1D7D0_2_071A1D7D
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 0_2_071A7A300_2_071A7A30
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 0_2_071A7A400_2_071A7A40
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 0_2_071A00060_2_071A0006
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 0_2_071A00400_2_071A0040
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 0_2_07A1070A0_2_07A1070A
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 4_2_0149E4714_2_0149E471
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 4_2_0149E4804_2_0149E480
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 4_2_0149BBD44_2_0149BBD4
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_0173C1347_2_0173C134
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_0173E5787_2_0173E578
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_0173E56A7_2_0173E56A
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_078960107_2_07896010
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_07891D7D7_2_07891D7D
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_07897A307_2_07897A30
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_07897A407_2_07897A40
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_078900077_2_07890007
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_078900407_2_07890040
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_082B070A7_2_082B070A
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 10_2_017DE47110_2_017DE471
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 10_2_017DE48010_2_017DE480
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 10_2_017DBBD410_2_017DBBD4
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 10_2_031C978810_2_031C9788
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 10_2_031CF5F810_2_031CF5F8
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 10_2_031CA61010_2_031CA610
        Source: Items_02559-02663.pdf.exeBinary or memory string: OriginalFilename vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.695012477.0000000007820000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.695012477.0000000007820000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.681552710.00000000009A8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000000.00000002.694626547.0000000007730000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exeBinary or memory string: OriginalFilename vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exeBinary or memory string: OriginalFilename vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exeBinary or memory string: OriginalFilename vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000007.00000002.729365815.0000000008020000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000007.00000002.728684858.00000000078A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000007.00000002.728684858.00000000078A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 00000007.00000002.728760284.00000000078D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exeBinary or memory string: OriginalFilename vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exe, 0000000A.00000002.736160010.000000000142A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exeBinary or memory string: OriginalFilename~ vs Items_02559-02663.pdf.exe
        Source: Items_02559-02663.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.Items_02559-02663.pdf.exe.3249628.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.Items_02559-02663.pdf.exe.3249628.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.Items_02559-02663.pdf.exe.2dbe8d4.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.Items_02559-02663.pdf.exe.2dbe8d4.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Items_02559-02663.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: jZWRPYaLXncddo.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@17/10@18/2
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeFile created: C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exeJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\PabRJVaJStCOUonYQzbLCywb
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_01
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{063b6e17-4321-4269-bf57-df94b570da06}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_01
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp71AB.tmpJump to behavior
        Source: Items_02559-02663.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Items_02559-02663.pdf.exeReversingLabs: Detection: 23%
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeFile read: C:\Users\user\Desktop\Items_02559-02663.pdf.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe 'C:\Users\user\Desktop\Items_02559-02663.pdf.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}
        Source: unknownProcess created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe C:\Users\user\Desktop\Items_02559-02663.pdf.exe 0
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA1E.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA1E.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Items_02559-02663.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Items_02559-02663.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: Items_02559-02663.pdf.exe, Login.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: jZWRPYaLXncddo.exe.0.dr, Login.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.Items_02559-02663.pdf.exe.1e0000.0.unpack, Login.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.Items_02559-02663.pdf.exe.1e0000.0.unpack, Login.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.Items_02559-02663.pdf.exe.3a0000.0.unpack, Login.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.0.Items_02559-02663.pdf.exe.3a0000.0.unpack, Login.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.Items_02559-02663.pdf.exe.990000.1.unpack, Login.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.Items_02559-02663.pdf.exe.990000.0.unpack, Login.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.Items_02559-02663.pdf.exe.f60000.0.unpack, Login.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.0.Items_02559-02663.pdf.exe.f60000.0.unpack, Login.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.0.Items_02559-02663.pdf.exe.cf0000.0.unpack, Login.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.Items_02559-02663.pdf.exe.cf0000.1.unpack, Login.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 0_2_071A54C0 push eax; ret 0_2_071A54C1
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 0_2_07A1573D push FFFFFF8Bh; iretd 0_2_07A1573F
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_07895F18 pushfd ; ret 7_2_07895F25
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_078954C0 push eax; ret 7_2_078954C1
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 7_2_082B573D push FFFFFF8Bh; iretd 7_2_082B573F
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 10_2_031CB5E0 push eax; retf 10_2_031CB5ED
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 10_2_031C69F8 pushad ; retf 10_2_031C69F9
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeCode function: 10_2_031C69FA push esp; retf 10_2_031C6A01
        Source: initial sampleStatic PE information: section name: .text entropy: 7.94731147015
        Source: initial sampleStatic PE information: section name: .text entropy: 7.94731147015
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeFile created: C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeFile opened: C:\Users\user\Desktop\Items_02559-02663.pdf.exe:Zone.Identifier read attributes | deleteJump to behavior
        Uses an obfuscated file name to hide its real file extension (double extension)Show sources
        Source: Possible double extension: pdf.exeStatic PE information: Items_02559-02663.pdf.exe
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWindow / User API: threadDelayed 4080Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWindow / User API: threadDelayed 4749Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWindow / User API: foregroundWindowGot 645Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWindow / User API: foregroundWindowGot 759Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe TID: 1836Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe TID: 1368Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe TID: 816Thread sleep time: -11990383647911201s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe TID: 660Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe TID: 5980Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe TID: 2224Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.909276624.0000000000F30000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllox
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeMemory written: C:\Users\user\Desktop\Items_02559-02663.pdf.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeMemory written: C:\Users\user\Desktop\Items_02559-02663.pdf.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA1E.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeProcess created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}Jump to behavior
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910132928.0000000001850000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910132928.0000000001850000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910548747.0000000002F37000.00000004.00000001.sdmpBinary or memory string: Program Managerp
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910132928.0000000001850000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpBinary or memory string: Program Managert
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Users\user\Desktop\Items_02559-02663.pdf.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Users\user\Desktop\Items_02559-02663.pdf.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Users\user\Desktop\Items_02559-02663.pdf.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Users\user\Desktop\Items_02559-02663.pdf.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORY
        Source: Yara matchFile source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
        Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
        Source: Items_02559-02663.pdf.exe, 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Items_02559-02663.pdf.exe, 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: Items_02559-02663.pdf.exe, 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORY
        Source: Yara matchFile source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Masquerading11Input Capture21Security Software Discovery121Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 357332 Sample: Items_02559-02663.pdf.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 44 wilsonzz.webredirect.org 2->44 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 14 other signatures 2->58 9 Items_02559-02663.pdf.exe 6 2->9         started        13 Items_02559-02663.pdf.exe 4 2->13         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\jZWRPYaLXncddo.exe, PE32 9->38 dropped 40 C:\Users\user\AppData\Local\...\tmp71AB.tmp, XML 9->40 dropped 42 C:\Users\...\Items_02559-02663.pdf.exe.log, ASCII 9->42 dropped 60 Injects a PE file into a foreign processes 9->60 15 Items_02559-02663.pdf.exe 11 9->15         started        20 schtasks.exe 1 9->20         started        22 Items_02559-02663.pdf.exe 9->22         started        24 schtasks.exe 1 13->24         started        26 Items_02559-02663.pdf.exe 2 13->26         started        signatures6 process7 dnsIp8 46 wilsonzz.webredirect.org 89.163.237.88, 49709, 49710, 49711 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Germany 15->46 48 192.168.2.1 unknown unknown 15->48 36 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 15->36 dropped 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->50 28 schtasks.exe 1 15->28         started        30 conhost.exe 20->30         started        32 conhost.exe 24->32         started        file9 signatures10 process11 process12 34 conhost.exe 28->34         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Items_02559-02663.pdf.exe23%ReversingLabsWin32.Trojan.AgentTesla
        Items_02559-02663.pdf.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exe23%ReversingLabsWin32.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        4.2.Items_02559-02663.pdf.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        10.2.Items_02559-02663.pdf.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        thanks001.ddns.net0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.monotype.0%URL Reputationsafe
        http://www.monotype.0%URL Reputationsafe
        http://www.monotype.0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        wilsonzz.webredirect.org0%Avira URL Cloudsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        wilsonzz.webredirect.org
        		89.163.237.88
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          thanks001.ddns.nettrue
          • Avira URL Cloud: safe
          		unknown
          wilsonzz.webredirect.orgtrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.comItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bTheItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                    		high
                    http://www.tiro.comItems_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersItems_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.krItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/cTheItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-user.htmlItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.monotype.Items_02559-02663.pdf.exe, 00000000.00000003.650108891.0000000000C7B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleaseItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fonts.comItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.sandoll.co.krItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleaseItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameItems_02559-02663.pdf.exe, 00000000.00000002.684003114.0000000002C1F000.00000004.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.720737165.0000000003361000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sakkal.comItems_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                89.163.237.88
                                		unknownGermany
                                		24961MYLOC-ASIPBackboneofmyLocmanagedITAGDEtrue

                                Private

                                IP
                                192.168.2.1

                                General Information

                                Joe Sandbox Version:31.0.0 Emerald
                                Analysis ID:357332
                                Start date:24.02.2021
                                Start time:13:12:27
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 10m 8s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:Items_02559-02663.pdf.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:11
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@17/10@18/2
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                • Quality average: 53.1%
                                • Quality standard deviation: 27.7%
                                HCA Information:
                                • Successful, ratio: 95%
                                • Number of executed functions: 135
                                • Number of non-executed functions: 8
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.193.48, 104.43.139.144, 13.64.90.137, 8.253.207.120, 67.26.17.254, 8.250.151.254, 8.248.121.254, 8.248.125.254
                                • Excluded domains from analysis (whitelisted): skypedataprdcoleus17.cloudapp.net, skypedataprdcolwus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net, skypedataprdcolcus15.cloudapp.net
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                13:13:17API Interceptor922x Sleep call for process: Items_02559-02663.pdf.exe modified
                                13:13:33Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Items_02559-02663.pdf.exe" s>$(Arg0)

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                MYLOC-ASIPBackboneofmyLocmanagedITAGDEBank Transfer Slip.exeGet hashmaliciousBrowse
                                • 91.212.153.84
                                BILLING INVOICE.pdf.exeGet hashmaliciousBrowse
                                • 91.212.153.84
                                JMG Memo-Circular No 018-21.PDF.exeGet hashmaliciousBrowse
                                • 91.212.153.84
                                LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeGet hashmaliciousBrowse
                                • 91.212.153.84
                                POEA ADVISORY ON DELISTED AGENCIES.PDF.exeGet hashmaliciousBrowse
                                • 91.212.153.84
                                Swift copy_BILLING INVOICE.pdf.exeGet hashmaliciousBrowse
                                • 91.212.153.84
                                POEA ADVISORY ON DELISTED AGENCIES.pdf.exeGet hashmaliciousBrowse
                                • 91.212.153.84
                                POEA ADVISORY NO 450 2021.pdf.exeGet hashmaliciousBrowse
                                • 91.212.153.84
                                POEA DELISTED AGENCIES (BATCH A).PDF.exeGet hashmaliciousBrowse
                                • 91.212.153.84
                                POEA MEMORANDUM N0 056.exeGet hashmaliciousBrowse
                                • 91.212.153.84
                                Swift_Payment_jpeg.exeGet hashmaliciousBrowse
                                • 62.141.37.17
                                Protected.exeGet hashmaliciousBrowse
                                • 91.212.153.84
                                Protected.2.exeGet hashmaliciousBrowse
                                • 91.212.153.84
                                FickerStealer.exeGet hashmaliciousBrowse
                                • 89.163.225.172
                                Documentaci#U00f3n.docGet hashmaliciousBrowse
                                • 89.163.210.141
                                SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exeGet hashmaliciousBrowse
                                • 89.163.140.102
                                TaskAudio Driver.exeGet hashmaliciousBrowse
                                • 193.111.198.220
                                Z8363664.docGet hashmaliciousBrowse
                                • 89.163.210.141
                                OhGodAnETHlargementPill2.exeGet hashmaliciousBrowse
                                • 193.111.198.220
                                godflex-r2.exeGet hashmaliciousBrowse
                                • 193.111.198.220

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Items_02559-02663.pdf.exe.log
                                Process:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.355304211458859
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp
                                Process:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1311
                                Entropy (8bit):5.137743702844662
                                Encrypted:false
                                SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Y0u1kaxtn:cbk4oL600QydbQxIYODOLedq3hDj
                                MD5:2CB7C82A649468334E3AC9C286999C53
                                SHA1:86F1D65CA2595D717E2FC67F2F064E8AF6F20F89
                                SHA-256:64A1FE728F630ADEBE57FBFA6EB1DA4F9B38DDD815C9758C2DC743D19E9CBC3E
                                SHA-512:B2E5E5B6CE3733586ADE0C9F23318F3DE58CDA06B88CBF8073F69C0CC3B0AE9BEE2920A768906F2665CA32AAAEB35CF6E30D5CA66B1C60CDD05AA59B79377A5C
                                Malicious:false
                                Reputation:low
                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                C:\Users\user\AppData\Local\Temp\tmp71AB.tmp
                                Process:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1647
                                Entropy (8bit):5.188267571798794
                                Encrypted:false
                                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGdtn:cbhK79lNQR/rydbz9I3YODOLNdq34
                                MD5:265EB6B9D687D7DFEA6503E02D65C940
                                SHA1:A2C93785E51DB7BF98DC0469D5F5F4CCCB6E9526
                                SHA-256:6FAA626806DEE34DEB3EAE73915BD8C9452F04D19F785C84C8936DD86754059C
                                SHA-512:69A786F717BBC7BEDD6FA760CCE15A7CEC96F9616808D4AB462156E9B65B76AC0494546E83837A355ED6CB5A7570642697483885F8CEC12209FB2F6906A65898
                                Malicious:true
                                Reputation:low
                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                C:\Users\user\AppData\Local\Temp\tmpBA1E.tmp
                                Process:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1647
                                Entropy (8bit):5.188267571798794
                                Encrypted:false
                                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGdtn:cbhK79lNQR/rydbz9I3YODOLNdq34
                                MD5:265EB6B9D687D7DFEA6503E02D65C940
                                SHA1:A2C93785E51DB7BF98DC0469D5F5F4CCCB6E9526
                                SHA-256:6FAA626806DEE34DEB3EAE73915BD8C9452F04D19F785C84C8936DD86754059C
                                SHA-512:69A786F717BBC7BEDD6FA760CCE15A7CEC96F9616808D4AB462156E9B65B76AC0494546E83837A355ED6CB5A7570642697483885F8CEC12209FB2F6906A65898
                                Malicious:false
                                Reputation:low
                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                Process:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1856
                                Entropy (8bit):7.089541637477408
                                Encrypted:false
                                SSDEEP:48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhL
                                MD5:30D23CC577A89146961915B57F408623
                                SHA1:9B5709D6081D8E0A570511E6E0AAE96FA041964F
                                SHA-256:E2130A72E55193D402B5F43F7F3584ECF6B423F8EC4B1B1B69AD693C7E0E5A9E
                                SHA-512:2D5C5747FD04F8326C2CC1FB313925070BC01D3352AFA6C36C167B72757A15F58B6263D96BD606338DA055812E69DDB628A6E18D64DD59697C2F42D1C58CC687
                                Malicious:false
                                Reputation:low
                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                Process:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                File Type:Non-ISO extended-ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):8
                                Entropy (8bit):2.75
                                Encrypted:false
                                SSDEEP:3:Zot:mt
                                MD5:78D87C90B6290A2B5AC730E21857A636
                                SHA1:7F2397E26E56320B7D29A2EA56AF2315EBB5ECF7
                                SHA-256:A8C767EFF7AC0ABBBA818D11488D4D5D8D8A72B8BEA2DE743E0CC37B9AC06398
                                SHA-512:F83E4B95CDDA9DC47C9D3D9780A7CA0346CED7996BAFF6A6011E961030F830249BF3CAA5E1DB108B6B77E77C8B47A9855299C92543429A165FE3EA6423DE1E44
                                Malicious:true
                                Reputation:low
                                Preview: .....H
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                Process:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):40
                                Entropy (8bit):5.153055907333276
                                Encrypted:false
                                SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                MD5:4E5E92E2369688041CC82EF9650EDED2
                                SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                Malicious:false
                                Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                Process:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):327768
                                Entropy (8bit):7.999367066417797
                                Encrypted:true
                                SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
                                MD5:2E52F446105FBF828E63CF808B721F9C
                                SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
                                SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
                                SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
                                Malicious:false
                                Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                Process:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):48
                                Entropy (8bit):4.5199746782469115
                                Encrypted:false
                                SSDEEP:3:oNt+WfWsuKfMrQC:oNwvsuuMrQC
                                MD5:E180244A81F8CE52CE654E64B183D082
                                SHA1:36C89CD921CB760B029DA4F6102D3588232982FC
                                SHA-256:00CB24367F72D6074CB5201ADB3F208B1ED7D29E1DAC42D38023E505A4A56C09
                                SHA-512:0AD3E451827BA0C41574C5937B891CE4D763492255FE003F4B855C087AE15AA7734E3090AC0B6EDF161527B9A691B2710EEC7BBA6706EF0447ED332AEA112610
                                Malicious:false
                                Preview: C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exe
                                Process:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):770048
                                Entropy (8bit):7.94192338687656
                                Encrypted:false
                                SSDEEP:12288:YEY3LLUEMthvqNv06tdkkQjFXZhBPEw6S4ZR6UaG+SsOEgntReIwCzWcPKlTPTGl:ALCYNJN+FXpc/H6Ud+SxDXeIwlBRG16c
                                MD5:69B99B73945755DF4628529E5A1BF6F8
                                SHA1:0B4A98CF7C2CF5F1FB3480736A602EBE4BBB9746
                                SHA-256:0A31DDE9DD611DE5AFEF82EAC6581588C5D8B034106A1F4EAC68958B8BD526C2
                                SHA-512:779A27BC5456FD9A7EF27963DAF4310C100DB04B53FFF46346C14D69B2EC7456A3DEE49505A4B23A59BD4E434E8AE845CFE2FD8D4EE9421FFB19A8D983CC3C89
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 23%
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.5`..............0.................. ........@.. ....................... ............@.................................4...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................h.......H.......Ho..t3......4.......x2..........................................&.(......*...0..9........~.........,".r...p.....(....o....s............~.....+..*....0...........~.....+..*".......*.0..!........(....r!..p~....o......t.....+..*....0..!........(....r1..p~....o......t.....+..*....0...........r5..p.+..*..0...........rA..p.+..*".(.....*^..}.....(.......(%....**...(.....*..0..;........rI..pr...p.(...........,..(......+..s......o .....(!.....*..0..I........r...pr...p.(.......

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.94192338687656
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:Items_02559-02663.pdf.exe
                                File size:770048
                                MD5:69b99b73945755df4628529e5a1bf6f8
                                SHA1:0b4a98cf7c2cf5f1fb3480736a602ebe4bbb9746
                                SHA256:0a31dde9dd611de5afef82eac6581588c5d8b034106a1f4eac68958b8bd526c2
                                SHA512:779a27bc5456fd9a7ef27963daf4310c100db04b53fff46346c14d69b2ec7456a3dee49505a4b23a59bd4e434e8ae845cfe2fd8d4ee9421ffb19a8d983cc3c89
                                SSDEEP:12288:YEY3LLUEMthvqNv06tdkkQjFXZhBPEw6S4ZR6UaG+SsOEgntReIwCzWcPKlTPTGl:ALCYNJN+FXpc/H6Ud+SxDXeIwlBRG16c
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.5`..............0.................. ........@.. ....................... ............@................................

                                File Icon

                                Icon Hash:00828e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x4bd586
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x6035AC6F [Wed Feb 24 01:31:27 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xbd5340x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x5b4.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000xbb58c0xbb600False0.933682350734data7.94731147015IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0xbe0000x5b40x600False0.436197916667data4.24672884221IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xc00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0xbe0900x324data
                                RT_MANIFEST0xbe3c40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Version Infos

                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyrightCopyright 2016
                                Assembly Version4.0.0.0
                                InternalNamewA.exe
                                FileVersion4.0.0.0
                                CompanyName
                                LegalTrademarks
                                Comments
                                ProductNameITP_RMSS
                                ProductVersion4.0.0.0
                                FileDescriptionITP_RMSS
                                OriginalFilenamewA.exe

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                02/24/21-13:13:35.557410TCP2025019ET TROJAN Possible NanoCore C2 60B497099036192.168.2.489.163.237.88
                                02/24/21-13:13:42.456581TCP2025019ET TROJAN Possible NanoCore C2 60B497109036192.168.2.489.163.237.88
                                02/24/21-13:13:48.944286TCP2025019ET TROJAN Possible NanoCore C2 60B497119036192.168.2.489.163.237.88
                                02/24/21-13:13:55.417376TCP2025019ET TROJAN Possible NanoCore C2 60B497129036192.168.2.489.163.237.88
                                02/24/21-13:14:02.308430TCP2025019ET TROJAN Possible NanoCore C2 60B497149036192.168.2.489.163.237.88
                                02/24/21-13:14:09.115026TCP2025019ET TROJAN Possible NanoCore C2 60B497159036192.168.2.489.163.237.88
                                02/24/21-13:14:15.121738TCP2025019ET TROJAN Possible NanoCore C2 60B497169036192.168.2.489.163.237.88
                                02/24/21-13:14:22.468708TCP2025019ET TROJAN Possible NanoCore C2 60B497179036192.168.2.489.163.237.88
                                02/24/21-13:14:28.451679TCP2025019ET TROJAN Possible NanoCore C2 60B497189036192.168.2.489.163.237.88
                                02/24/21-13:14:33.473501TCP2025019ET TROJAN Possible NanoCore C2 60B497199036192.168.2.489.163.237.88
                                02/24/21-13:14:39.501822TCP2025019ET TROJAN Possible NanoCore C2 60B497209036192.168.2.489.163.237.88
                                02/24/21-13:14:45.520035TCP2025019ET TROJAN Possible NanoCore C2 60B497219036192.168.2.489.163.237.88
                                02/24/21-13:14:50.510622TCP2025019ET TROJAN Possible NanoCore C2 60B497229036192.168.2.489.163.237.88
                                02/24/21-13:14:56.537341TCP2025019ET TROJAN Possible NanoCore C2 60B497239036192.168.2.489.163.237.88
                                02/24/21-13:15:02.624356TCP2025019ET TROJAN Possible NanoCore C2 60B497249036192.168.2.489.163.237.88
                                02/24/21-13:15:07.507413TCP2025019ET TROJAN Possible NanoCore C2 60B497259036192.168.2.489.163.237.88
                                02/24/21-13:15:13.608651TCP2025019ET TROJAN Possible NanoCore C2 60B497269036192.168.2.489.163.237.88
                                02/24/21-13:15:19.571269TCP2025019ET TROJAN Possible NanoCore C2 60B497279036192.168.2.489.163.237.88

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Feb 24, 2021 13:13:35.358680010 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.380064011 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.380227089 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.557410002 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.598577023 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.625113964 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.649607897 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.690336943 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.764992952 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.765063047 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.769203901 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.769248962 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.769303083 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.769304037 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.769330978 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.769334078 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.769357920 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.769367933 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.790576935 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.790621042 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.790642977 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.790668011 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.790690899 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.790715933 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.790719986 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.790751934 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.790777922 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.790802956 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.790873051 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.812535048 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812565088 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812588930 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812612057 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812642097 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.812647104 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812668085 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.812674999 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812699080 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812726974 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.812731981 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812767029 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812777996 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.812813997 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812839031 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812865973 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812891006 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812891006 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.812912941 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812932968 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812944889 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.812956095 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.812958956 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.812999964 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.835573912 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.835643053 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.835685968 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.835726023 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.835731030 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.835751057 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.835777998 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.835789919 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.835814953 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.835838079 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.835839033 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.835876942 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.835890055 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.835913897 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.835935116 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.835968971 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.835982084 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836005926 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836030006 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836061001 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.836070061 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836093903 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836117029 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.836117983 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836141109 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.836158037 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836182117 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836205006 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836225986 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.836234093 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836266041 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.836267948 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836292982 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836317062 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836328030 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.836340904 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836365938 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836369991 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.836393118 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836417913 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836440086 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.836440086 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836464882 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836486101 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.836488962 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836513042 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.836541891 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.836572886 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.857404947 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857469082 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857491016 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857539892 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.857546091 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857589960 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857637882 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.857655048 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857693911 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.857717991 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857764006 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857805014 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857820988 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.857826948 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857845068 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857889891 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857920885 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857943058 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.857947111 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.857969046 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858000994 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858015060 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858086109 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858117104 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858124018 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858139038 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858160973 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858181953 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858184099 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858208895 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858231068 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858248949 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858253002 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858274937 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858285904 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858297110 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858318090 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858318090 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858340979 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858361959 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858371019 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858387947 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858396053 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858411074 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858431101 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858443022 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858453035 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858474970 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858495951 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858495951 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858516932 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858539104 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858546019 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858562946 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858584881 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858593941 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858606100 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858628035 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858644009 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858649015 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858658075 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858669996 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858690977 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858709097 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858712912 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858737946 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858760118 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858764887 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858781099 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858803034 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.858831882 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.858872890 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.879379034 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879406929 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879426003 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879452944 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879468918 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879481077 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879479885 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.879498005 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879525900 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879554987 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879590034 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879612923 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879615068 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.879630089 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879638910 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.879646063 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879663944 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879667997 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.879687071 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879709959 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.879714012 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879734039 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879749060 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879756927 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.879765987 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879797935 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.879856110 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879905939 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879916906 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.879923105 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879945993 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879956961 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.879970074 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880034924 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.880040884 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880068064 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880104065 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.880121946 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880139112 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880155087 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880166054 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.880170107 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880187035 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880207062 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.880212069 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880250931 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880259037 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.880270958 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880289078 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880307913 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880309105 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.880333900 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880350113 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880357027 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.880373001 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880379915 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.880389929 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880405903 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880425930 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.880455017 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880475998 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.880481005 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880537987 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.880662918 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880687952 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880713940 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880729914 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.880733967 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.880772114 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.900631905 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.900669098 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.900680065 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.900696039 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.900830984 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.900849104 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.900865078 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.900876045 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.900895119 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.900908947 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.900953054 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.900990963 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901180029 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901201010 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901221991 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901232958 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.901262999 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.901264906 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901300907 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901336908 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901381016 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.901423931 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901463032 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901475906 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.901504993 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901525974 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901565075 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901596069 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.901609898 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901618004 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.901629925 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901649952 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901673079 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901680946 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.901704073 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901722908 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.901725054 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901773930 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901807070 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901825905 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.901834011 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901865005 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.901869059 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901899099 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901931047 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901952982 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901973963 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.901998043 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902004957 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.902021885 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902034044 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.902040005 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.902080059 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.902086973 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902133942 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902157068 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902190924 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902201891 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.902210951 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902230024 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902255058 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.902257919 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902277946 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902297020 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.902301073 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902322054 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902337074 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.902339935 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902359009 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.902380943 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.902411938 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.921644926 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.921668053 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.921730995 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.921839952 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.921866894 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.921888113 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.921905994 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.921916008 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.921943903 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.921972990 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.922004938 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.922133923 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.922318935 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.922410011 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.922431946 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.922449112 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.922466040 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.922594070 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.924168110 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924194098 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924258947 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924279928 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.924280882 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924309015 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924324036 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.924465895 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924484968 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924499989 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924524069 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924535990 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.924560070 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.924573898 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924592972 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924607992 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924633980 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.924654961 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.924712896 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924736023 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924770117 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924787045 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.924794912 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924838066 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.924841881 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924880028 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924900055 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924917936 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924942970 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924947023 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.924964905 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.924981117 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925005913 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925008059 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925040960 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925071001 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925105095 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925112009 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925127983 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925153971 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925158024 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925177097 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925198078 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925199032 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925244093 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925256014 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925265074 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925277948 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925303936 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925323009 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925334930 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925353050 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925360918 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925398111 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925419092 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925426006 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925451040 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925477982 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925479889 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925528049 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925533056 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925559998 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925592899 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925594091 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925616026 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925636053 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925663948 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925668001 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925698996 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925705910 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925740004 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925761938 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925789118 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925796032 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925821066 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925833941 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:35.925844908 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:35.925890923 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:36.809441090 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:36.895524979 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:37.566685915 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:37.629874945 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:37.713037014 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:37.761219025 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:37.781923056 CET90364970989.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:37.823682070 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:37.904572964 CET497099036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:42.434504032 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:42.455600977 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:42.455712080 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:42.456581116 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:42.485696077 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:42.486037016 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:42.507152081 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:42.508460045 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:42.588057041 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:42.655698061 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:42.667457104 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:42.688245058 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:42.706228971 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:42.727240086 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:42.727319956 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:42.748131037 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:42.748188019 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:42.837712049 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:42.837768078 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:42.916343927 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:42.916435003 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:42.994399071 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:43.844047070 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:43.913312912 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:44.225722075 CET90364971089.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:44.277375937 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:44.848059893 CET497109036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:48.920629025 CET497119036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:48.941267014 CET90364971189.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:48.941472054 CET497119036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:48.944286108 CET497119036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:48.977751970 CET90364971189.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:48.978060961 CET497119036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:48.998878002 CET90364971189.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:49.000374079 CET497119036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:49.077150106 CET90364971189.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:49.146120071 CET90364971189.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:49.147990942 CET497119036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:49.168661118 CET90364971189.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:49.170449972 CET497119036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:49.191035986 CET90364971189.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:49.191133022 CET497119036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:49.212018967 CET90364971189.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:49.254425049 CET497119036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:49.334412098 CET90364971189.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:49.888019085 CET497119036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:49.971024990 CET90364971189.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:51.084039927 CET497119036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:55.392332077 CET497129036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:55.415793896 CET90364971289.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:55.416047096 CET497129036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:55.417376041 CET497129036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:55.459698915 CET90364971289.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:55.460297108 CET497129036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:55.487757921 CET90364971289.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:55.489212990 CET497129036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:55.568914890 CET90364971289.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:55.636296034 CET90364971289.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:55.637959957 CET497129036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:55.660840988 CET90364971289.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:55.662389994 CET497129036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:55.683640957 CET90364971289.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:55.684706926 CET497129036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:55.708717108 CET90364971289.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:55.708969116 CET497129036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:55.786722898 CET90364971289.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:55.982115030 CET497129036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:56.068826914 CET90364971289.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:56.966623068 CET497129036192.168.2.489.163.237.88
                                Feb 24, 2021 13:13:57.038608074 CET90364971289.163.237.88192.168.2.4
                                Feb 24, 2021 13:13:57.967355013 CET497129036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:02.285466909 CET497149036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:02.307746887 CET90364971489.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:02.307818890 CET497149036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:02.308429956 CET497149036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:02.341552019 CET90364971489.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:02.341949940 CET497149036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:02.364031076 CET90364971489.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:02.365220070 CET497149036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:02.448446035 CET90364971489.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:02.528960943 CET90364971489.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:02.530209064 CET497149036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:02.550988913 CET90364971489.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:02.552359104 CET497149036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:02.574594021 CET90364971489.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:02.574688911 CET497149036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:02.595633030 CET90364971489.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:02.595782042 CET497149036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:02.682133913 CET90364971489.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:03.014035940 CET497149036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:03.189275026 CET90364971489.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:04.045469046 CET497149036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:04.134109020 CET90364971489.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:05.029911041 CET497149036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:09.089823008 CET497159036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:09.112709999 CET90364971589.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:09.113497019 CET497159036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:09.115025997 CET497159036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:09.153120041 CET90364971589.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:09.156045914 CET497159036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:09.178577900 CET90364971589.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:09.179933071 CET497159036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:09.263698101 CET90364971589.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:09.330964088 CET90364971589.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:09.332180023 CET497159036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:09.353374958 CET90364971589.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:09.354613066 CET497159036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:09.378717899 CET90364971589.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:09.378932953 CET497159036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:09.400506020 CET90364971589.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:09.400677919 CET497159036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:09.483438969 CET90364971589.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:10.030129910 CET497159036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:10.113910913 CET90364971589.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:11.030064106 CET497159036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:15.099585056 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:15.120779037 CET90364971689.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:15.121090889 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:15.121737957 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:15.157875061 CET90364971689.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:15.158216000 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:15.179544926 CET90364971689.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:15.181046009 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:15.256728888 CET90364971689.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:15.337815046 CET90364971689.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:15.339471102 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:15.360378981 CET90364971689.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:15.361538887 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:15.382895947 CET90364971689.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:15.386380911 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:15.407322884 CET90364971689.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:15.407442093 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:15.491060019 CET90364971689.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:16.069952965 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:16.147216082 CET90364971689.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:16.491297960 CET90364971689.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:16.545669079 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:17.254143953 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:17.334244013 CET90364971689.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:18.366400957 CET497169036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:22.439939022 CET497179036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:22.467683077 CET90364971789.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:22.467804909 CET497179036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:22.468708038 CET497179036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:22.507282972 CET90364971789.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:22.507816076 CET497179036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:22.531606913 CET90364971789.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:22.533340931 CET497179036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:22.606400013 CET90364971789.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:22.672893047 CET90364971789.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:22.717175007 CET497179036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:22.738297939 CET90364971789.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:22.755872965 CET497179036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:22.777440071 CET90364971789.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:22.777523994 CET497179036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:22.799149036 CET90364971789.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:22.830914974 CET497179036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:22.919260025 CET90364971789.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:23.329231024 CET497179036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:23.413106918 CET90364971789.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:24.328488111 CET497179036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:28.428392887 CET497189036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:28.450709105 CET90364971889.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:28.450882912 CET497189036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:28.451678991 CET497189036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:28.476974010 CET90364971889.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:28.531059027 CET497189036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:28.552248955 CET90364971889.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:28.552503109 CET497189036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:28.574023962 CET90364971889.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:28.576308966 CET497189036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:28.665102005 CET90364971889.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:28.716223001 CET90364971889.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:28.721009970 CET497189036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:28.741589069 CET90364971889.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:28.743520021 CET497189036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:28.764411926 CET90364971889.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:28.767529011 CET497189036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:28.789679050 CET90364971889.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:28.817267895 CET497189036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:28.899594069 CET90364971889.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:29.391041994 CET497189036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:33.452032089 CET497199036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:33.472908020 CET90364971989.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:33.473009109 CET497199036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:33.473500967 CET497199036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:33.502980947 CET90364971989.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:33.503384113 CET497199036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:33.524240017 CET90364971989.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:33.526581049 CET497199036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:33.606970072 CET90364971989.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:33.678283930 CET90364971989.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:33.680246115 CET497199036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:33.701304913 CET90364971989.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:33.703362942 CET497199036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:33.724498987 CET90364971989.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:33.724611998 CET497199036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:33.745774984 CET90364971989.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:33.751846075 CET497199036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:33.824989080 CET90364971989.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:34.439486980 CET497199036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:34.519743919 CET90364971989.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:35.424123049 CET497199036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:39.478254080 CET497209036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:39.500458002 CET90364972089.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:39.500685930 CET497209036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:39.501821995 CET497209036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:39.544565916 CET90364972089.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:39.566063881 CET497209036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:39.588478088 CET90364972089.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:39.590825081 CET497209036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:39.672665119 CET90364972089.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:39.752466917 CET90364972089.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:39.754431963 CET497209036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:39.775549889 CET90364972089.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:39.777581930 CET497209036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:39.798743963 CET90364972089.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:39.804485083 CET497209036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:39.827230930 CET90364972089.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:39.827388048 CET497209036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:39.906639099 CET90364972089.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:40.423465014 CET497209036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:40.498469114 CET90364972089.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:40.769547939 CET90364972089.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:40.813446999 CET497209036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:41.423681021 CET497209036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:45.498400927 CET497219036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:45.519273996 CET90364972189.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:45.519423962 CET497219036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:45.520035028 CET497219036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:45.543467045 CET90364972189.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:45.594964027 CET497219036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:45.615979910 CET90364972189.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:45.616652966 CET497219036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:45.637741089 CET90364972189.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:45.641144991 CET497219036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:45.707207918 CET90364972189.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:45.788028955 CET90364972189.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:45.805571079 CET497219036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:45.826397896 CET90364972189.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:45.828499079 CET497219036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:45.853252888 CET90364972189.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:45.853421926 CET497219036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:45.874866962 CET90364972189.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:45.906248093 CET497219036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:45.988219023 CET90364972189.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:46.424257994 CET497219036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:50.488933086 CET497229036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:50.509579897 CET90364972289.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:50.509744883 CET497229036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:50.510622025 CET497229036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:50.547709942 CET90364972289.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:50.548187971 CET497229036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:50.569241047 CET90364972289.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:50.570677042 CET497229036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:50.641849995 CET90364972289.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:50.741066933 CET90364972289.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:50.746557951 CET497229036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:50.767424107 CET90364972289.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:50.769567013 CET497229036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:50.790510893 CET90364972289.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:50.790883064 CET497229036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:50.812489986 CET90364972289.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:50.813740969 CET497229036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:50.891772032 CET90364972289.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:51.424496889 CET497229036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:51.498728991 CET90364972289.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:52.440987110 CET497229036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:56.514357090 CET497239036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:56.536103964 CET90364972389.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:56.536250114 CET497239036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:56.537341118 CET497239036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:56.568487883 CET90364972389.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:56.568926096 CET497239036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:56.591119051 CET90364972389.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:56.593466997 CET497239036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:56.658380985 CET90364972389.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:56.773751974 CET90364972389.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:56.788232088 CET497239036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:56.808840036 CET90364972389.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:56.814807892 CET497239036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:56.835979939 CET90364972389.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:56.836091995 CET497239036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:56.856997013 CET90364972389.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:56.880170107 CET497239036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:56.902215958 CET90364972389.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:56.955360889 CET497239036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:57.448909998 CET497239036192.168.2.489.163.237.88
                                Feb 24, 2021 13:14:57.525870085 CET90364972389.163.237.88192.168.2.4
                                Feb 24, 2021 13:14:58.440658092 CET497239036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:02.601317883 CET497249036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:02.622900963 CET90364972489.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:02.624316931 CET497249036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:02.624356031 CET497249036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:02.649302959 CET90364972489.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:02.690190077 CET497249036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:02.711783886 CET90364972489.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:02.713119030 CET497249036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:02.734293938 CET90364972489.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:02.737482071 CET497249036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:02.824846983 CET90364972489.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:02.905740976 CET90364972489.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:02.906963110 CET497249036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:02.927660942 CET90364972489.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:02.929436922 CET497249036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:02.950977087 CET90364972489.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:02.955691099 CET497249036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:02.976680040 CET90364972489.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:02.977046967 CET497249036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:03.058077097 CET90364972489.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:03.425394058 CET497249036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:07.486102104 CET497259036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:07.506721020 CET90364972589.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:07.506824017 CET497259036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:07.507412910 CET497259036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:07.537496090 CET90364972589.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:07.550935030 CET497259036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:07.572379112 CET90364972589.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:07.573906898 CET497259036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:07.637018919 CET90364972589.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:07.718005896 CET90364972589.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:07.718899965 CET497259036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:07.740598917 CET90364972589.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:07.741467953 CET497259036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:07.762433052 CET90364972589.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:07.762546062 CET497259036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:07.785633087 CET90364972589.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:07.785712957 CET497259036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:07.871407986 CET90364972589.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:08.426131964 CET497259036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:08.502249002 CET90364972589.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:09.442982912 CET497259036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:13.586884022 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:13.607868910 CET90364972689.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:13.608042002 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:13.608650923 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:13.639300108 CET90364972689.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:13.639774084 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:13.660567999 CET90364972689.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:13.662153006 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:13.734200954 CET90364972689.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:13.815543890 CET90364972689.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:13.846206903 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:13.866972923 CET90364972689.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:13.909787893 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:13.910357952 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:13.931494951 CET90364972689.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:13.945072889 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:13.966013908 CET90364972689.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:14.019202948 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:14.039681911 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:14.125618935 CET90364972689.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:14.519990921 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:14.593611002 CET90364972689.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:15.521192074 CET497269036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:19.549844980 CET497279036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:19.570853949 CET90364972789.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:19.570998907 CET497279036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:19.571269035 CET497279036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:19.594938040 CET90364972789.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:19.644618034 CET497279036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:19.665427923 CET90364972789.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:19.665663004 CET497279036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:19.687186003 CET90364972789.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:19.687972069 CET497279036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:19.781217098 CET90364972789.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:19.843147993 CET90364972789.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:19.843571901 CET497279036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:19.864258051 CET90364972789.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:19.865442038 CET497279036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:19.886697054 CET90364972789.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:19.886918068 CET497279036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:19.908063889 CET90364972789.163.237.88192.168.2.4
                                Feb 24, 2021 13:15:19.908327103 CET497279036192.168.2.489.163.237.88
                                Feb 24, 2021 13:15:19.995815992 CET90364972789.163.237.88192.168.2.4

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Feb 24, 2021 13:13:05.131644964 CET5992053192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:05.144365072 CET53599208.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:06.854136944 CET5745853192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:06.866487980 CET53574588.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:07.635777950 CET5057953192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:07.648597956 CET53505798.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:08.444322109 CET6524853192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:08.456315041 CET53652488.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:09.765423059 CET5372353192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:09.778301001 CET53537238.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:10.644164085 CET6464653192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:10.659591913 CET53646468.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:11.666393042 CET6529853192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:11.680917978 CET53652988.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:13.408221006 CET5912353192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:13.420507908 CET53591238.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:14.182230949 CET5453153192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:14.197181940 CET53545318.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:15.029716969 CET4971453192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:15.043313026 CET53497148.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:15.835571051 CET5802853192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:15.848443031 CET53580288.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:16.646267891 CET5309753192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:16.658747911 CET53530978.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:17.470582962 CET4925753192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:17.482456923 CET53492578.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:18.331350088 CET6238953192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:18.344394922 CET53623898.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:19.348400116 CET4991053192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:19.361630917 CET53499108.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:20.211576939 CET5585453192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:20.224864006 CET53558548.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:21.048191071 CET6454953192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:21.061738968 CET53645498.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:21.845335007 CET6315353192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:21.858378887 CET53631538.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:35.121257067 CET5299153192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:35.292083979 CET53529918.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:42.266710043 CET5370053192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:42.433168888 CET53537008.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:48.899710894 CET5172653192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:48.914328098 CET53517268.8.8.8192.168.2.4
                                Feb 24, 2021 13:13:55.219964027 CET5679453192.168.2.48.8.8.8
                                Feb 24, 2021 13:13:55.390961885 CET53567948.8.8.8192.168.2.4
                                Feb 24, 2021 13:14:01.710227013 CET5653453192.168.2.48.8.8.8
                                Feb 24, 2021 13:14:01.722053051 CET53565348.8.8.8192.168.2.4
                                Feb 24, 2021 13:14:02.238163948 CET5662753192.168.2.48.8.8.8
                                Feb 24, 2021 13:14:02.250988960 CET53566278.8.8.8192.168.2.4
                                Feb 24, 2021 13:14:09.074867964 CET5662153192.168.2.48.8.8.8
                                Feb 24, 2021 13:14:09.088027954 CET53566218.8.8.8192.168.2.4
                                Feb 24, 2021 13:14:15.085726023 CET6311653192.168.2.48.8.8.8
                                Feb 24, 2021 13:14:15.098505974 CET53631168.8.8.8192.168.2.4
                                Feb 24, 2021 13:14:22.417701006 CET6407853192.168.2.48.8.8.8
                                Feb 24, 2021 13:14:22.436132908 CET53640788.8.8.8192.168.2.4
                                Feb 24, 2021 13:14:28.412439108 CET6480153192.168.2.48.8.8.8
                                Feb 24, 2021 13:14:28.426688910 CET53648018.8.8.8192.168.2.4
                                Feb 24, 2021 13:14:33.431617022 CET6172153192.168.2.48.8.8.8
                                Feb 24, 2021 13:14:33.444726944 CET53617218.8.8.8192.168.2.4
                                Feb 24, 2021 13:14:39.464747906 CET5125553192.168.2.48.8.8.8
                                Feb 24, 2021 13:14:39.476856947 CET53512558.8.8.8192.168.2.4
                                Feb 24, 2021 13:14:45.461611032 CET6152253192.168.2.48.8.8.8
                                Feb 24, 2021 13:14:45.474519014 CET53615228.8.8.8192.168.2.4
                                Feb 24, 2021 13:14:50.474667072 CET5233753192.168.2.48.8.8.8
                                Feb 24, 2021 13:14:50.487652063 CET53523378.8.8.8192.168.2.4
                                Feb 24, 2021 13:14:56.498562098 CET5504653192.168.2.48.8.8.8
                                Feb 24, 2021 13:14:56.512487888 CET53550468.8.8.8192.168.2.4
                                Feb 24, 2021 13:15:02.586545944 CET4961253192.168.2.48.8.8.8
                                Feb 24, 2021 13:15:02.599725962 CET53496128.8.8.8192.168.2.4
                                Feb 24, 2021 13:15:07.471865892 CET4928553192.168.2.48.8.8.8
                                Feb 24, 2021 13:15:07.484658003 CET53492858.8.8.8192.168.2.4
                                Feb 24, 2021 13:15:13.572782993 CET5060153192.168.2.48.8.8.8
                                Feb 24, 2021 13:15:13.585798979 CET53506018.8.8.8192.168.2.4
                                Feb 24, 2021 13:15:19.536489010 CET6087553192.168.2.48.8.8.8
                                Feb 24, 2021 13:15:19.549335957 CET53608758.8.8.8192.168.2.4

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Feb 24, 2021 13:13:35.121257067 CET192.168.2.48.8.8.80x9539Standard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:13:42.266710043 CET192.168.2.48.8.8.80x49acStandard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:13:48.899710894 CET192.168.2.48.8.8.80x4a5fStandard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:13:55.219964027 CET192.168.2.48.8.8.80x63f9Standard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:02.238163948 CET192.168.2.48.8.8.80x77ffStandard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:09.074867964 CET192.168.2.48.8.8.80xb207Standard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:15.085726023 CET192.168.2.48.8.8.80x490fStandard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:22.417701006 CET192.168.2.48.8.8.80xfe97Standard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:28.412439108 CET192.168.2.48.8.8.80x8800Standard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:33.431617022 CET192.168.2.48.8.8.80x5374Standard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:39.464747906 CET192.168.2.48.8.8.80x7d1Standard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:45.461611032 CET192.168.2.48.8.8.80x8527Standard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:50.474667072 CET192.168.2.48.8.8.80x967eStandard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:56.498562098 CET192.168.2.48.8.8.80x5f52Standard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:15:02.586545944 CET192.168.2.48.8.8.80x4721Standard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:15:07.471865892 CET192.168.2.48.8.8.80xe71fStandard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:15:13.572782993 CET192.168.2.48.8.8.80x8222Standard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)
                                Feb 24, 2021 13:15:19.536489010 CET192.168.2.48.8.8.80x9f56Standard query (0)wilsonzz.webredirect.orgA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Feb 24, 2021 13:13:35.292083979 CET8.8.8.8192.168.2.40x9539No error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:13:42.433168888 CET8.8.8.8192.168.2.40x49acNo error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:13:48.914328098 CET8.8.8.8192.168.2.40x4a5fNo error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:13:55.390961885 CET8.8.8.8192.168.2.40x63f9No error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:02.250988960 CET8.8.8.8192.168.2.40x77ffNo error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:09.088027954 CET8.8.8.8192.168.2.40xb207No error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:15.098505974 CET8.8.8.8192.168.2.40x490fNo error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:22.436132908 CET8.8.8.8192.168.2.40xfe97No error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:28.426688910 CET8.8.8.8192.168.2.40x8800No error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:33.444726944 CET8.8.8.8192.168.2.40x5374No error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:39.476856947 CET8.8.8.8192.168.2.40x7d1No error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:45.474519014 CET8.8.8.8192.168.2.40x8527No error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:50.487652063 CET8.8.8.8192.168.2.40x967eNo error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:14:56.512487888 CET8.8.8.8192.168.2.40x5f52No error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:15:02.599725962 CET8.8.8.8192.168.2.40x4721No error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:15:07.484658003 CET8.8.8.8192.168.2.40xe71fNo error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:15:13.585798979 CET8.8.8.8192.168.2.40x8222No error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)
                                Feb 24, 2021 13:15:19.549335957 CET8.8.8.8192.168.2.40x9f56No error (0)wilsonzz.webredirect.org89.163.237.88A (IP address)IN (0x0001)

                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: Items_02559-02663.pdf.exe PID: 1680 Parent PID: 5896

                                General

                                Start time:13:13:11
                                Start date:24/02/2021
                                Path:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\Items_02559-02663.pdf.exe'
                                Imagebase:0x1e0000
                                File size:770048 bytes
                                MD5 hash:69B99B73945755DF4628529E5A1BF6F8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Reputation:low

                                Chronological Activities

                                Analysis Process: schtasks.exe PID: 1900 Parent PID: 1680

                                General

                                Start time:13:13:28
                                Start date:24/02/2021
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp'
                                Imagebase:0x230000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 3220 Parent PID: 1900

                                General

                                Start time:13:13:28
                                Start date:24/02/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff724c50000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: Items_02559-02663.pdf.exe PID: 2920 Parent PID: 1680

                                General

                                Start time:13:13:29
                                Start date:24/02/2021
                                Path:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                Wow64 process (32bit):false
                                Commandline:{path}
                                Imagebase:0x3a0000
                                File size:770048 bytes
                                MD5 hash:69B99B73945755DF4628529E5A1BF6F8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low

                                Chronological Activities

                                Analysis Process: Items_02559-02663.pdf.exe PID: 1440 Parent PID: 1680

                                General

                                Start time:13:13:29
                                Start date:24/02/2021
                                Path:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                Wow64 process (32bit):true
                                Commandline:{path}
                                Imagebase:0x990000
                                File size:770048 bytes
                                MD5 hash:69B99B73945755DF4628529E5A1BF6F8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Reputation:low

                                Chronological Activities

                                Analysis Process: schtasks.exe PID: 5716 Parent PID: 1440

                                General

                                Start time:13:13:31
                                Start date:24/02/2021
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp'
                                Imagebase:0x230000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 2860 Parent PID: 5716

                                General

                                Start time:13:13:32
                                Start date:24/02/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff724c50000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: Items_02559-02663.pdf.exe PID: 472 Parent PID: 968

                                General

                                Start time:13:13:33
                                Start date:24/02/2021
                                Path:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\Items_02559-02663.pdf.exe 0
                                Imagebase:0xf60000
                                File size:770048 bytes
                                MD5 hash:69B99B73945755DF4628529E5A1BF6F8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Reputation:low

                                Chronological Activities

                                Analysis Process: schtasks.exe PID: 5688 Parent PID: 472

                                General

                                Start time:13:13:46
                                Start date:24/02/2021
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA1E.tmp'
                                Imagebase:0x230000
                                File size:185856 bytes
                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 5912 Parent PID: 5688

                                General

                                Start time:13:13:47
                                Start date:24/02/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff724c50000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: Items_02559-02663.pdf.exe PID: 5880 Parent PID: 472

                                General

                                Start time:13:13:47
                                Start date:24/02/2021
                                Path:C:\Users\user\Desktop\Items_02559-02663.pdf.exe
                                Wow64 process (32bit):true
                                Commandline:{path}
                                Imagebase:0xcf0000
                                File size:770048 bytes
                                MD5 hash:69B99B73945755DF4628529E5A1BF6F8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Reputation:low

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >

                                  Analysis Process: Items_02559-02663.pdf.exe PID: 1680 Parent PID: 5896 Items_02559-02663.pdf.exeCOMMON

                                  Executed Functions

                                  Function 07A1070A, Relevance: 2.2, Strings: 1, Instructions: 932COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: (
                                  • API String ID: 0-3887548279
                                  • Opcode ID: 45cd85ca9baedcd577079dd2e77f10ed1d4c8ef969ef0636a323ce9ad755daf9
                                  • Instruction ID: e628543c065a4ff1639177e3ad54d5228d0c624304150dfa945e5386861095da
                                  • Opcode Fuzzy Hash: 45cd85ca9baedcd577079dd2e77f10ed1d4c8ef969ef0636a323ce9ad755daf9
                                  • Instruction Fuzzy Hash: 2592F5B0D5922ACFEB64DF24C944BEEB7B5AB4A304F1081E9C16DA7291DB744AC4CF41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071A6010, Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 82138bd7990a111112936a41463bd3f4573712299b0d7fbee1fb6561a9a7019a
                                  • Instruction ID: 4e9740f5c36d5cac9705234a8243daec52dc1067620defe902d9f522c29461e0
                                  • Opcode Fuzzy Hash: 82138bd7990a111112936a41463bd3f4573712299b0d7fbee1fb6561a9a7019a
                                  • Instruction Fuzzy Hash: AF411AB5D006099FDB08DFAAD94469EBBF7AFC8304F14C57AC508AB268EB345A458F40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C4B681, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 00C4B6F0
                                  • GetCurrentThread.KERNEL32 ref: 00C4B72D
                                  • GetCurrentProcess.KERNEL32 ref: 00C4B76A
                                  • GetCurrentThreadId.KERNEL32 ref: 00C4B7C3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 28c0db371ca43f42e3ece6156219306e19383e33050a67d99f85573423714f7b
                                  • Instruction ID: d444a4159d40b48e9bd1c2900229b5268389486fbf1c9adf3241448e085058b9
                                  • Opcode Fuzzy Hash: 28c0db371ca43f42e3ece6156219306e19383e33050a67d99f85573423714f7b
                                  • Instruction Fuzzy Hash: CB5144B09006499FDB10CFAAD588BDEBBF0BF89314F24846AE419A7250C774A984CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C4B690, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 00C4B6F0
                                  • GetCurrentThread.KERNEL32 ref: 00C4B72D
                                  • GetCurrentProcess.KERNEL32 ref: 00C4B76A
                                  • GetCurrentThreadId.KERNEL32 ref: 00C4B7C3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 8da3e0e726bdd8b14e67d5acbd48f03199a8fc1849a62ca71ac4ccc2dfaa465e
                                  • Instruction ID: 26cecb4e85a6c2d39e07206552eee94519daf4326875d7fd2881c09116907adf
                                  • Opcode Fuzzy Hash: 8da3e0e726bdd8b14e67d5acbd48f03199a8fc1849a62ca71ac4ccc2dfaa465e
                                  • Instruction Fuzzy Hash: 565135B0D006498FDB14CFAAD588BDEBBF0BF88314F248569E419A7350D774A984CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C49690, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00C498D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 3b6cf2ccc2e834737c237b1a0403a2dfc4736e947fc146464ce3cfe16a0c2591
                                  • Instruction ID: 9544578903d152dc62e48e9e36d731cf5dbf6d70e8bd2cad13b5d763bb3a96a8
                                  • Opcode Fuzzy Hash: 3b6cf2ccc2e834737c237b1a0403a2dfc4736e947fc146464ce3cfe16a0c2591
                                  • Instruction Fuzzy Hash: 4E712270A00B158FDB24DF2AC04179BBBF1FF88314F008A29E19AD7A50DB74E945CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A118E0, Relevance: 1.7, APIs: 1, Instructions: 157processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 07A11A5B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 4b3706d7db2bbb85db308b3b849049b68489af23acf41c7d514b0a80dbcf4bdd
                                  • Instruction ID: a57a3ae50b24ab04b3d485b9696160e568476dbd5b3b7cb19e2e1fc350d7b808
                                  • Opcode Fuzzy Hash: 4b3706d7db2bbb85db308b3b849049b68489af23acf41c7d514b0a80dbcf4bdd
                                  • Instruction Fuzzy Hash: 205129B1900329DFEB20CF95C880BDDBBB1BF88314F15809AE918A7250DB755A89CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A11908, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 07A11A5B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: fac01b2dc7da4a747ce417ef52df4ebc40c722292f47127d59a1f61ecc18da32
                                  • Instruction ID: e3610c89e27c0a8ecc9d9509819cef15e1af6b3d9239967e4e8e71a367ed7bae
                                  • Opcode Fuzzy Hash: fac01b2dc7da4a747ce417ef52df4ebc40c722292f47127d59a1f61ecc18da32
                                  • Instruction Fuzzy Hash: 545108B1900329DFEF20CF95C880BDDBBB6BF88314F15849AE518A7210DB755A85CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C4FCEE, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C4FE0A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: c981037e4b08b0f0510cf46e88cc079d70a7f500efc36656d7bf3c4f355062a4
                                  • Instruction ID: 135c5542a8de1996599bd84c6507363bd7ad9a6060b3d81aa55df9129d4591c1
                                  • Opcode Fuzzy Hash: c981037e4b08b0f0510cf46e88cc079d70a7f500efc36656d7bf3c4f355062a4
                                  • Instruction Fuzzy Hash: 2751BFB1D002499FDB14CFAAD984ADEBBB5BF48314F24812AE819AB210D7749946CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C4FCF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C4FE0A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: a4a2002c64acd14ba921efec819ee9f8dd1447201a459333fa049147edb6d4e4
                                  • Instruction ID: edb7b8adb1e95484005c6528985f7b93d9fa5b2d992f09eec27770dd0a18afa5
                                  • Opcode Fuzzy Hash: a4a2002c64acd14ba921efec819ee9f8dd1447201a459333fa049147edb6d4e4
                                  • Instruction Fuzzy Hash: 214190B1D003099FDF14CFAAD984ADEBBB5BF48314F24812AE419AB214D7749945CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C45364, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 00C45421
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 3c9511ed942b04f9de1a1af0338ae913c0f269ec6c8bea7780ae2a36d2adfb5a
                                  • Instruction ID: 07830cdc6fb218dd490d699cd347e9d59125025e585305feb1c98f700851e848
                                  • Opcode Fuzzy Hash: 3c9511ed942b04f9de1a1af0338ae913c0f269ec6c8bea7780ae2a36d2adfb5a
                                  • Instruction Fuzzy Hash: 614127B1C04619CFDB24DFA9C884BCDFBB5BF49304F25806AD418AB251D7B55986CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C438A8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 00C45421
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 9e279cf0d38e319a29c7943ed7c933273e4d2c0ba1ed88d75ec0d2755530de7e
                                  • Instruction ID: 6d2f77ec639c9555be6884df7dd9044c6b0d061a5d764648458f8a4e267d1a4b
                                  • Opcode Fuzzy Hash: 9e279cf0d38e319a29c7943ed7c933273e4d2c0ba1ed88d75ec0d2755530de7e
                                  • Instruction Fuzzy Hash: C54105B1C0461DCFDB24DFAAC8847CEBBB5BF48304F218069D419AB251D7B55985CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A11D80, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A11E15
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 96556e2d7f4434b70174b43f386bfaaa3957a498ef200f5585dfd322a9bcf497
                                  • Instruction ID: 7319510c67ef90e3c2e1079588305f5ef9fb1b20a419680637b09c3f1bbea05a
                                  • Opcode Fuzzy Hash: 96556e2d7f4434b70174b43f386bfaaa3957a498ef200f5585dfd322a9bcf497
                                  • Instruction Fuzzy Hash: FE2114B5901259DFDB10CF9AD885BDEBBF4FB48324F10842AE918A3240D778A954CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A11D88, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A11E15
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 06a8dcddaec3e91982a1d3439ba32efe6b1380429c045de9c3e4444eb9440ee1
                                  • Instruction ID: 33550c5ce49714ebace891afac371e0ee1176ec8b7fd3cdced5e103719a1b825
                                  • Opcode Fuzzy Hash: 06a8dcddaec3e91982a1d3439ba32efe6b1380429c045de9c3e4444eb9440ee1
                                  • Instruction Fuzzy Hash: 9B2114B1901259DFDB10CF9AC885BDEBBF4FB48310F10842AE918A3240D778A940CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C4B8B2, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C4B93F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 066a68ae8fce40b9d96fe6dfd1709e88ef8422d410411719020ef1a1331f98f4
                                  • Instruction ID: 5283b1b92e6ace3b340378c6d1d855b2231013463e9eeea612197f88837275d5
                                  • Opcode Fuzzy Hash: 066a68ae8fce40b9d96fe6dfd1709e88ef8422d410411719020ef1a1331f98f4
                                  • Instruction Fuzzy Hash: 3A2105B5900249EFDB10CFAAD584BDEFBF8FB49320F14802AE954A3210D374A940CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C4B8B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C4B93F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: d1e7843e510e3a83ae60cc36d759ef9085fc07b2ab782803cb09aba49b548c74
                                  • Instruction ID: 12516e11e7ca02cb5e5b0107e3f184420ac1264513c725e91eb127ab127b6862
                                  • Opcode Fuzzy Hash: d1e7843e510e3a83ae60cc36d759ef9085fc07b2ab782803cb09aba49b548c74
                                  • Instruction Fuzzy Hash: B921C4B59002599FDB10CF9AD584BDEFBF8FB48324F14842AE954A3310D374A954CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A11C08, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A11C8F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 956a8103d6b42d36d6601e7baad8e4964ed3f5c4173fc09669529d345679b024
                                  • Instruction ID: 2f2c5acab920847a41e572a32f91a1b4743243ac1aa3f34673c0098f53b555f0
                                  • Opcode Fuzzy Hash: 956a8103d6b42d36d6601e7baad8e4964ed3f5c4173fc09669529d345679b024
                                  • Instruction Fuzzy Hash: 292104B2D002599FDB10CF9AD884BDEFBF4FB48320F15842AE958A7210D3789941DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A11B49, Relevance: 1.6, APIs: 1, Instructions: 60threadinjectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 07A11BC7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: ContextThread
                                  • String ID:
                                  • API String ID: 1591575202-0
                                  • Opcode ID: a831e54ceaa18a0d8af46a19ba4353dd0964ed46dddab990a64606eb66b09988
                                  • Instruction ID: 42814baf77ec975661efe4cdcd2e42f9463ccbf1d1bac24bc7195f443f922a91
                                  • Opcode Fuzzy Hash: a831e54ceaa18a0d8af46a19ba4353dd0964ed46dddab990a64606eb66b09988
                                  • Instruction Fuzzy Hash: 892138B1D0061A9FDB00CF9AC8857DEFBF4BB48224F14812AE418B3640E778A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A11C10, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A11C8F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 2fe3082cdbe1f1eff5011c0cf2e9f815abdfa77dea790d470056ec0e065a0e4a
                                  • Instruction ID: a138bdd5d64450aa8b7bb0db687ab9b2e8efe839a9ac7a815fd205be44345393
                                  • Opcode Fuzzy Hash: 2fe3082cdbe1f1eff5011c0cf2e9f815abdfa77dea790d470056ec0e065a0e4a
                                  • Instruction Fuzzy Hash: 4021E2B59002599FDB10CF9AD884BDEFBF4FB48320F14842AE958A3250D378A544DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A11B50, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 07A11BC7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: ContextThread
                                  • String ID:
                                  • API String ID: 1591575202-0
                                  • Opcode ID: 9e79dad1dbc03f66ee8503b844ba233550a81eee52dce4a1468cfd7233500b7f
                                  • Instruction ID: e7a73431c74e3f3b59fdac499ba2476ad8385e2cb14b8d081240804a0fc1f675
                                  • Opcode Fuzzy Hash: 9e79dad1dbc03f66ee8503b844ba233550a81eee52dce4a1468cfd7233500b7f
                                  • Instruction Fuzzy Hash: 0D211AB1D0065A9FDB10CF9AC4457DEFBF4BB48224F14812AE518B3640D778A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C492A8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C49951,00000800,00000000,00000000), ref: 00C49B62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 6bd9d6e739dc9f80523ae098645df1816a013cadf2453b5a01faa89578f5c665
                                  • Instruction ID: 8671e078e9740923f8db4067d10c5b38458d11611b53f78c09bff2aa8450b4f8
                                  • Opcode Fuzzy Hash: 6bd9d6e739dc9f80523ae098645df1816a013cadf2453b5a01faa89578f5c665
                                  • Instruction Fuzzy Hash: 291103B69002599FDB20CF9AD444BDEFBF4EB48320F14842AE415A7200C374A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C49AF3, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C49951,00000800,00000000,00000000), ref: 00C49B62
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: ad893bb2d55ca15d869df3d0506d853559a2c21cd838604e073111a388826dad
                                  • Instruction ID: b67941540e4a28e853c4e30c5d0a6aa8d90e52b60ba0985f389c8ea9f606df38
                                  • Opcode Fuzzy Hash: ad893bb2d55ca15d869df3d0506d853559a2c21cd838604e073111a388826dad
                                  • Instruction Fuzzy Hash: 5D1103B6C002498FDB20CFAAD484BEEFBF4EB88324F14856AD455A7200C374A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A11CD8, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A11D4B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: e7938e83bfa92193db7a54656a62e269f7e650f2b50581a9a1c04b31e5ac515e
                                  • Instruction ID: 5a6070daaec112c89297451e70146064ed376d7298189b67d43b2a3b78f20ac0
                                  • Opcode Fuzzy Hash: e7938e83bfa92193db7a54656a62e269f7e650f2b50581a9a1c04b31e5ac515e
                                  • Instruction Fuzzy Hash: C61125B6900249DFDB20CF9AC884BDEBFF4FB88320F148419E528A7210D375A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A11CE0, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A11D4B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 65bcd7606b2a344b4090eca32a5afa77f30959ea424e584905e2ddf1b3a35633
                                  • Instruction ID: cad2f4228b2664f6050e6aadcb808a8558f81842f681af07b11066c02f3749f7
                                  • Opcode Fuzzy Hash: 65bcd7606b2a344b4090eca32a5afa77f30959ea424e584905e2ddf1b3a35633
                                  • Instruction Fuzzy Hash: 6411F2B5900649DFDB20CF9AC884BDEBFF8FB88324F148419E528A7610C375A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C49870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00C498D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 4648f7f55a94a6850529f5d20f93b62caf3decaf21fd799376219928ae337afe
                                  • Instruction ID: b016b2655444f9b1c6b85bc3f1681b4a007784fbf33b1a0f6cc40c2f4f98badd
                                  • Opcode Fuzzy Hash: 4648f7f55a94a6850529f5d20f93b62caf3decaf21fd799376219928ae337afe
                                  • Instruction Fuzzy Hash: 55110FB6C002598FDB10CF9AC444BDEFBF8EB89324F14842AD429A7200C378A545CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A13752, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,?,?,?), ref: 07A137B5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: bda4af419dbb245c1b36397670fe4c4410a6a6caa6133ed331742b1f3f767018
                                  • Instruction ID: 66583d48e3f8debdf3af5aae6a145ce55f6e15362e7abba13d09b458d347e535
                                  • Opcode Fuzzy Hash: bda4af419dbb245c1b36397670fe4c4410a6a6caa6133ed331742b1f3f767018
                                  • Instruction Fuzzy Hash: F21115B68003499FDB10CF99C985BDEFFF8EB48324F14845AE468A7200C374A944CFA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A11E59, Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 9463c79f34879e487769abcd1b89647840bc406cfbbffc4510a765050ce3a361
                                  • Instruction ID: 29cc5c4f50542b4f60e282fa4f801653a987056411baf1ec92ce34dafd91744a
                                  • Opcode Fuzzy Hash: 9463c79f34879e487769abcd1b89647840bc406cfbbffc4510a765050ce3a361
                                  • Instruction Fuzzy Hash: 651112B1800259CFDB10CF9AD884BDEFBF4EB48324F25845AD529A7340D774A945CFA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A13758, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,?,?,?), ref: 07A137B5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 61496c579ac00ff07ea864fea7dbdd97d9c0a84cd69520309b989d642235d7de
                                  • Instruction ID: f331f157ecc06ee0b97e1a286ab999235f8084533e95c7ae29a59c317be600e2
                                  • Opcode Fuzzy Hash: 61496c579ac00ff07ea864fea7dbdd97d9c0a84cd69520309b989d642235d7de
                                  • Instruction Fuzzy Hash: 4311E2B58003499FDB10CF9AC984BDEFBF8EB49324F14845AE558A7600C374A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07A11E60, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.695090891.0000000007A10000.00000040.00000001.sdmp, Offset: 07A10000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: daae1b66783a3a11539a02246ebcedbce6a4e9078e8534be272e89824ba73a7e
                                  • Instruction ID: 9a90db98ff9113b8c0e50b542698b76eb15c0460a1c5376e26db380a659c14b3
                                  • Opcode Fuzzy Hash: daae1b66783a3a11539a02246ebcedbce6a4e9078e8534be272e89824ba73a7e
                                  • Instruction Fuzzy Hash: 451123B1800249CFDB10CF9AC484BDEFBF8EF48324F24841AD529A3240C774A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C4FF71, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 00C4FF9D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 982c083f788063a78f97b30443592346300713b4d79a536e043a76e5ae184d99
                                  • Instruction ID: e7ce6e57967d26766a502a8b1d1dce039b8c26b222a16d9f6c49ad4cf8fa39b3
                                  • Opcode Fuzzy Hash: 982c083f788063a78f97b30443592346300713b4d79a536e043a76e5ae184d99
                                  • Instruction Fuzzy Hash: 23F0E2B59002099FEB10CF89D484BDEBBF4FB88324F14851AE959A7240C378A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071AAAE8, Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: D0l
                                  • API String ID: 0-2225038300
                                  • Opcode ID: 91d73312d800389f78b6f8f97356bfab04983c216f69624e4e2c011493ab1c6e
                                  • Instruction ID: f81ab180c9d01f06bfcaf55d15157f843aff9f91157bfaffc9215cc3b15df36f
                                  • Opcode Fuzzy Hash: 91d73312d800389f78b6f8f97356bfab04983c216f69624e4e2c011493ab1c6e
                                  • Instruction Fuzzy Hash: 24215E74B14208AFDB14EBB4D8546EEB6B3EF89214F118029D602A72C4DF355D45CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071A9383, Relevance: .4, Instructions: 372COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e3dac7f590590de0c27b1f82af9f1dad12223c5ed5cfe9ab793622a0e420c472
                                  • Instruction ID: fc18816ec0199305fa773e9c6f69a4204b41abd6f20e14b57aa408838f6f3133
                                  • Opcode Fuzzy Hash: e3dac7f590590de0c27b1f82af9f1dad12223c5ed5cfe9ab793622a0e420c472
                                  • Instruction Fuzzy Hash: A7E177F8D19218EBDB14CFA8C8407EDBBB9FB0A314F059195C10AA73C2D734AA808F51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071AAC00, Relevance: .1, Instructions: 144COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14a63c53ae7a89a0a8b95d00262ee7c31f364aa09c27b176ecf1e74e1b331614
                                  • Instruction ID: 03c8e55207b9f8b6dceee3719d8e8509a7d8a52046453befd4b9134b8c7b5a70
                                  • Opcode Fuzzy Hash: 14a63c53ae7a89a0a8b95d00262ee7c31f364aa09c27b176ecf1e74e1b331614
                                  • Instruction Fuzzy Hash: 4A41E5B5B10215AFDB18DB78C4442AEB7F6EFC9204B11C43AD459D7395EB398C42C7A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071A949B, Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a5c001b68ea36cee56b6fcfd856cddb523b75fd6cf04a52843ee33bc729c25d0
                                  • Instruction ID: 9241da5a4b092b5867c0bcd3f9f4facf113af6cef7d864065de90ab122ef49ba
                                  • Opcode Fuzzy Hash: a5c001b68ea36cee56b6fcfd856cddb523b75fd6cf04a52843ee33bc729c25d0
                                  • Instruction Fuzzy Hash: 553127B8D0D118DBDF28CF64C5427EDB7B8AB0A314F0191D6C51AA7281D774AEC48F91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071A94C4, Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bddad74a2ecfb9e007e4f5950c7de401ca8a72bfa6725cefcae8faa821058d26
                                  • Instruction ID: 338aecbc03d77ce50d5edfe2ff361172168916e9d80654dfca2a800486435ef6
                                  • Opcode Fuzzy Hash: bddad74a2ecfb9e007e4f5950c7de401ca8a72bfa6725cefcae8faa821058d26
                                  • Instruction Fuzzy Hash: 47313AB8D09118DBDF28CF64C5427EDB7B4AB4A314F0152D6C51AA72C1D7746EC48F91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071A94E1, Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 667618e10208a63cd41e14548bfd29321e51f5cfd97c7ceb50c157cbfaf5ede8
                                  • Instruction ID: 50b07989bc562599da15befc9d7764ac06fece64c99cf97c4e5dce82e5e0bddf
                                  • Opcode Fuzzy Hash: 667618e10208a63cd41e14548bfd29321e51f5cfd97c7ceb50c157cbfaf5ede8
                                  • Instruction Fuzzy Hash: DF2148B8D09118DBDF28CF68C8423EDB7B4EB4A314F0192D6C51AA7281D7746AC58F91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0097D1D4, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681481621.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f5f9675f55522feec81c938510b0ed038166fff2ff41068b0a3b37b4b0aabd0a
                                  • Instruction ID: 9c6d2de06216bb76b738fb12cf07187e3c228306a5b53caa4f117c87a614c006
                                  • Opcode Fuzzy Hash: f5f9675f55522feec81c938510b0ed038166fff2ff41068b0a3b37b4b0aabd0a
                                  • Instruction Fuzzy Hash: 4121C5B2604244EFDB05DF14D5C0B26BB75FF84314F24CAA9D94D4B246C77AD847CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0097D01C, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681481621.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a434d117cc5f3c6073877cdde8161faca186603324d928e52d23e515b43e9355
                                  • Instruction ID: 623d7afee6c97f538ff0db114caef98c9c4835a7ca7f84a25f94e72c18881e91
                                  • Opcode Fuzzy Hash: a434d117cc5f3c6073877cdde8161faca186603324d928e52d23e515b43e9355
                                  • Instruction Fuzzy Hash: 942104B6608240DFDB14DF14D9C4B26BB75FF84314F24CA69D94D4B246C73AD847CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0097D006, Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681481621.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 48a4daa6338f88fda06fc2e331bc8901bc354332761420722911c04d4e7d779d
                                  • Instruction ID: 10bdd0ac26c25d5be09e8fb8ed5dec6d5cf824ef98e21678ebb6fe3094814bc1
                                  • Opcode Fuzzy Hash: 48a4daa6338f88fda06fc2e331bc8901bc354332761420722911c04d4e7d779d
                                  • Instruction Fuzzy Hash: BD2180765093C08FDB02CF24D994715BF71EF46314F28C5DAD8498B697C33A980ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071AA4F0, Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee0b5452612347ade483fc77629df1ea8102414902fb8d05c21d773ee08407b4
                                  • Instruction ID: 8374bd511d63fafd31196e5b722531d974e8658dc71a8f3e18743b2ef636d645
                                  • Opcode Fuzzy Hash: ee0b5452612347ade483fc77629df1ea8102414902fb8d05c21d773ee08407b4
                                  • Instruction Fuzzy Hash: 3E119EB8B04115ABDF29AA7988107BE76B2EFC5660F05C129E916DB381EB34C900C7E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0097D1CF, Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681481621.000000000097D000.00000040.00000001.sdmp, Offset: 0097D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84522397b0c0072479584b34e9b527c289f971b5c41eac134402e64a3c6926ae
                                  • Instruction ID: 2baeec1548d6d82004c616e2b4900e687055172d31bcdecea662fd2ca36e8fc8
                                  • Opcode Fuzzy Hash: 84522397b0c0072479584b34e9b527c289f971b5c41eac134402e64a3c6926ae
                                  • Instruction Fuzzy Hash: F7118876904280DFDB12CF10D5C4B15FBB1FF84324F28C6AAD8494B656C33AD85ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071A62AE, Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 98a50a66f5d87e9377feca171bd9862edc0a336888901b1ad7a5425d8a563484
                                  • Instruction ID: 258d4678bbef4227fae67b4fd5f4f4a4a9d675c7e6b9951dfe15c94ea77003f6
                                  • Opcode Fuzzy Hash: 98a50a66f5d87e9377feca171bd9862edc0a336888901b1ad7a5425d8a563484
                                  • Instruction Fuzzy Hash: 2DF0A4B8959319EFDB08CBA4D81869DBBB5FF0B314F19516AD40AEB2A2D7384C018B11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071AE980, Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d60835c38f994c70a8df1f67623cbd292c3d1862c687a4fdae7480a1b49077e
                                  • Instruction ID: 062e6db37419efc7bf8011c2e0fee2f292d701b1216ce8e713d27999384ba429
                                  • Opcode Fuzzy Hash: 3d60835c38f994c70a8df1f67623cbd292c3d1862c687a4fdae7480a1b49077e
                                  • Instruction Fuzzy Hash: B0E0C978D06309AFDB44DFA4E509AADBBB8FB85304F10A1AAC805A3694E7345A44CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071A6BA5, Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 54f4e28e91304ebbb66a81da74e8d7cb35ee04dc66794ffbede26a30efe07db7
                                  • Instruction ID: 26108538d43b341d0f3d6aa7ee37692c6862e3044fdadda7eeec913af14db1e5
                                  • Opcode Fuzzy Hash: 54f4e28e91304ebbb66a81da74e8d7cb35ee04dc66794ffbede26a30efe07db7
                                  • Instruction Fuzzy Hash: 97F01D78904219CFDB58DF24D8496D8BBB1FF89301F1442E5C50AA3299DB305E81CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071A686B, Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c1640b81dd22ef7342a3b6e74d82c98eac499e60294b955139e5868cd385831
                                  • Instruction ID: 1d42864b40105f71a279d11030eda383c247a21086b75b20f714451e9f30c473
                                  • Opcode Fuzzy Hash: 1c1640b81dd22ef7342a3b6e74d82c98eac499e60294b955139e5868cd385831
                                  • Instruction Fuzzy Hash: 81E0C9749151298FDB14DF24C9947D8B7B1FB89310F105796D919A33D8D7306E81CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 071A1D7D, Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: 9
                                  • API String ID: 0-2366072709
                                  • Opcode ID: 526ab18c1aa01efabe5fcbdea1646b5546ccadf91bb9cb1f2b6afddb14d446c3
                                  • Instruction ID: c339c6589868f6e13dd4abc3989fddd8b4bc7ac4cf042558f51853164fcd9002
                                  • Opcode Fuzzy Hash: 526ab18c1aa01efabe5fcbdea1646b5546ccadf91bb9cb1f2b6afddb14d446c3
                                  • Instruction Fuzzy Hash: E1919FB0E0462D8BDB64DF29CE45B8ABBF5BF89300F4181E5D24CA6245E7319E95CF06
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071A0006, Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: V
                                  • API String ID: 0-1342839628
                                  • Opcode ID: a3530efb08dc18df9c5a94cba2023cda4cfa63d2a2692b7391a0fa2653c61539
                                  • Instruction ID: 341e20a947c563cbb4a1fcf7a88968a8fc99a53b4758b588475fddbdfda34ce2
                                  • Opcode Fuzzy Hash: a3530efb08dc18df9c5a94cba2023cda4cfa63d2a2692b7391a0fa2653c61539
                                  • Instruction Fuzzy Hash: CB51BCB1D056598BE75DCF678D4068AFBF3AFC9200F19C0FAC548AB265EB3009868F55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071A7A30, Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: w*
                                  • API String ID: 0-694781695
                                  • Opcode ID: 498fd87ffb402c2f9f19d62949c64ac298ef8ca38367333528a5cfba32a44a3b
                                  • Instruction ID: 34720ad94b2eeea478f0a398e058b5891f975e0fffea14ed927f10ceb634783e
                                  • Opcode Fuzzy Hash: 498fd87ffb402c2f9f19d62949c64ac298ef8ca38367333528a5cfba32a44a3b
                                  • Instruction Fuzzy Hash: 7741A4F8E1420EEF8744CEA9C4002AEB7B6AB98200B55C5659016DB7D1E77CCB058B41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071A7A40, Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: w*
                                  • API String ID: 0-694781695
                                  • Opcode ID: abe62e235fee7f11c7eb3aee5c7f3abe047aaf7b29853290d0629f2be0f578b9
                                  • Instruction ID: b218db7da25d28bf83a6fd6752270d0195bb437848bc014961151c12abf322b9
                                  • Opcode Fuzzy Hash: abe62e235fee7f11c7eb3aee5c7f3abe047aaf7b29853290d0629f2be0f578b9
                                  • Instruction Fuzzy Hash: 9E41B6F8E1820EFF8744CFA9C4002AEB7B6AB89240B55D9659016DB7D1E77CC7058F41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C4E578, Relevance: .3, Instructions: 315COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1ff831a7cb65f6b7c6fcc77e00adfb46592359bda8bdc260004dd4af5f4223b
                                  • Instruction ID: b68fecec10a8f7185f63843f0049f994ad0afc092fe59dbfce64db27a7947bd5
                                  • Opcode Fuzzy Hash: c1ff831a7cb65f6b7c6fcc77e00adfb46592359bda8bdc260004dd4af5f4223b
                                  • Instruction Fuzzy Hash: 661295B1511F468BE330DFA6ED983AD3BA1B785328F604308D2A15AAF2D7F5114ADF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C4C134, Relevance: .3, Instructions: 265COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 78a9bbba490555bc9527fc970eb9ac63b18c525aac6740ad06c8e4ff403eeee6
                                  • Instruction ID: 2448cafa4c0c0273a47f102f010a618b008f87bd2e35d082d72201fef5f77c15
                                  • Opcode Fuzzy Hash: 78a9bbba490555bc9527fc970eb9ac63b18c525aac6740ad06c8e4ff403eeee6
                                  • Instruction Fuzzy Hash: 25A16F32E0021A8FCF15DFA5C8845DEB7B2FF85300B15856AE916FB261DB71AE45DB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C4E56A, Relevance: .2, Instructions: 223COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.681872479.0000000000C40000.00000040.00000001.sdmp, Offset: 00C40000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 82fae788c46c78265a02c464f3e12c334ee85811cc95c59079752f4b7d3fc33e
                                  • Instruction ID: b4471fbb7c73c956b161cc1495582e3eb3cb019fa88b0dcef2232e5b103115cf
                                  • Opcode Fuzzy Hash: 82fae788c46c78265a02c464f3e12c334ee85811cc95c59079752f4b7d3fc33e
                                  • Instruction Fuzzy Hash: 90C1F8B1811B468BD720DFA6EC883AD7BB1BB85328F614309D2616B6F2D7F81046DF54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 071A0040, Relevance: .1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.694477629.00000000071A0000.00000040.00000001.sdmp, Offset: 071A0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 79c73f4788f30fa50fad1c14cea139c1f45933692191b833ac983fbd3b216bcb
                                  • Instruction ID: e760c370db3841ba08ca6575dfd2d5112a560bc1658deabca3df9b99c534fecf
                                  • Opcode Fuzzy Hash: 79c73f4788f30fa50fad1c14cea139c1f45933692191b833ac983fbd3b216bcb
                                  • Instruction Fuzzy Hash: 544181B1E016188BEB5CCF678D4078AFAF7AFC9200F14C1B9C55CA7255EB3049868F15
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: Items_02559-02663.pdf.exe PID: 1440 Parent PID: 1680 Items_02559-02663.pdf.exeCOMMON

                                  Executed Functions

                                  Function 014993E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0149962E
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.910018236.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 309cd7104242e5675b35148720a6c7514570f5ae3386b7dd72edf32e14743799
                                  • Instruction ID: 7a2ac2841eceeef2b36c26d4669fae17e426aa765961cb4bb820da793089d0a4
                                  • Opcode Fuzzy Hash: 309cd7104242e5675b35148720a6c7514570f5ae3386b7dd72edf32e14743799
                                  • Instruction Fuzzy Hash: DF711470A10B068FDB65DF2AD44475BBBF1BF88218F008A2ED58AD7B50DB74E845CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0149FB61, Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0149FD0A
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.910018236.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: fe43a0b643cc4378e4d6b53980af2462ed97559d9e542d57ba508f4815a641c4
                                  • Instruction ID: 068590b3c5768b70e094f7d0ffd03985cdb83469a2c5b133f1d16811a8107eaa
                                  • Opcode Fuzzy Hash: fe43a0b643cc4378e4d6b53980af2462ed97559d9e542d57ba508f4815a641c4
                                  • Instruction Fuzzy Hash: D96125B2C04349AFDF01CFA9D880ADEBFB1BF49314F19816AE814AB261D7749955CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0149DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0149FD0A
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.910018236.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 49b577ab24404239f0a88660dbfb30c1ff49bfcbc265ddf92a68bdf26b5d5725
                                  • Instruction ID: a34162249b3430753eb9ecc845a69a51085affefa59a3ca2fe9c07541f1e0f0b
                                  • Opcode Fuzzy Hash: 49b577ab24404239f0a88660dbfb30c1ff49bfcbc265ddf92a68bdf26b5d5725
                                  • Instruction Fuzzy Hash: 9951A0B1D003499FDF14CF99D884ADEBFB5BF48314F24822AE819AB260D774A945CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0149FE02, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0149FE28,?,?,?,?), ref: 0149FE9D
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.910018236.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 7dfcc3419c657ed2bf345d4b3055ac7c4297453c473612c3bf17fbc2b13127ae
                                  • Instruction ID: 86c717fe78249eefa38c1f959e7db565ab57ba3cf1f23ec1754d4571569cb9f3
                                  • Opcode Fuzzy Hash: 7dfcc3419c657ed2bf345d4b3055ac7c4297453c473612c3bf17fbc2b13127ae
                                  • Instruction Fuzzy Hash: 292189B6900248DFDB01CFA5D985BDABFF4EF48324F09844AE454A7262D338A944CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0149A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0149BCC6,?,?,?,?,?), ref: 0149BD87
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.910018236.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: d9b9e1d410ad429aba1a3413ef22fb331695cd926eb2d2e318795e8edac77274
                                  • Instruction ID: 4bc4cf4258ed1ead2c0f8df6f25e403c45827b8a8a1c18a75c6ccfc26020066a
                                  • Opcode Fuzzy Hash: d9b9e1d410ad429aba1a3413ef22fb331695cd926eb2d2e318795e8edac77274
                                  • Instruction Fuzzy Hash: 5321E5B5900248EFDB10CF99D584BDEBFF4EB48320F14801AE954A3310D378A955CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0149BCF9, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0149BCC6,?,?,?,?,?), ref: 0149BD87
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.910018236.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: f5fd74577100d2ed43285da8e21d0ed94ebd532be5cf3e0fd238425356813135
                                  • Instruction ID: 4b242bbfdb4b0f2e99e7aa40d4adb1abcbb863552ba70ffab6bb93ddb1183640
                                  • Opcode Fuzzy Hash: f5fd74577100d2ed43285da8e21d0ed94ebd532be5cf3e0fd238425356813135
                                  • Instruction Fuzzy Hash: CA21E3B59002499FDB00CFA9D584BDEBFF4EF48324F14841AE954A3350C378A955CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01498768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014996A9,00000800,00000000,00000000), ref: 014998BA
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.910018236.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: ec9670dd0d34e8870eb937f798cc1a6617be2a014b1055c648ac1193691da1f0
                                  • Instruction ID: b617283adda96036ec85fb8714de726d6c35964adb3626b46c4b749a224234ff
                                  • Opcode Fuzzy Hash: ec9670dd0d34e8870eb937f798cc1a6617be2a014b1055c648ac1193691da1f0
                                  • Instruction Fuzzy Hash: CF1103B6900249DFDB10CF9AD444BDEFBF4EB48324F04842EE515A7610C375A945CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01499849, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014996A9,00000800,00000000,00000000), ref: 014998BA
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.910018236.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: dcf14e5b1b8a00858290620c808056499969feb543e36322b65e809addfb7d61
                                  • Instruction ID: cc812ada31318f2345e0a49bacfcd430ee8baf70a6026c85c6e44a00aca2d97a
                                  • Opcode Fuzzy Hash: dcf14e5b1b8a00858290620c808056499969feb543e36322b65e809addfb7d61
                                  • Instruction Fuzzy Hash: 871112B6D00209CFDB10CF9AD544BDEFBF4AB48324F05842ED519A7610C378A545CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 014995C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0149962E
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.910018236.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 9e70e12fd85fcfc0a2341aa6dc16905e7e618f533dbf063687216cce9d6f5989
                                  • Instruction ID: e9752e1021169ca9d999bfdfcdbd537164a8dfca5c61972981ed47c0ef7d9cb5
                                  • Opcode Fuzzy Hash: 9e70e12fd85fcfc0a2341aa6dc16905e7e618f533dbf063687216cce9d6f5989
                                  • Instruction Fuzzy Hash: F211E0B6D006498FDB10CF9AD444BDFFBF4AF88224F14842AD459A7610C378A546CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0149DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0149FE28,?,?,?,?), ref: 0149FE9D
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.910018236.0000000001490000.00000040.00000001.sdmp, Offset: 01490000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 4ab3acdbc47c8bb67f9e2f274d7878184191c2613efa62401f3d949cb5748943
                                  • Instruction ID: 0c740a470b1e835a6dba8668b41bd00942e69e52ec19f0e08e464eeab18d0285
                                  • Opcode Fuzzy Hash: 4ab3acdbc47c8bb67f9e2f274d7878184191c2613efa62401f3d949cb5748943
                                  • Instruction Fuzzy Hash: 1C1103B59002499FDB10DF9AD484BEFBFF8EB88724F10841AE955A7351C378A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Analysis Process: Items_02559-02663.pdf.exe PID: 472 Parent PID: 968 Items_02559-02663.pdf.exeCOMMON

                                  Executed Functions

                                  Function 07896010, Relevance: .1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.728599167.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1de451f8ae0b3bf07f2f87f2423bc2d36609a633580b878892875a39b7a6c96a
                                  • Instruction ID: 21df0da12a5cb249da9a549080979e8757e86eac3b173f9bfefa2649c289e493
                                  • Opcode Fuzzy Hash: 1de451f8ae0b3bf07f2f87f2423bc2d36609a633580b878892875a39b7a6c96a
                                  • Instruction Fuzzy Hash: 7D413DB1E04609CFEB08DFAAD94069DBBF7EFC8304F14C579D508AB264EB345A458B41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0173B681, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0173B6F0
                                  • GetCurrentThread.KERNEL32 ref: 0173B72D
                                  • GetCurrentProcess.KERNEL32 ref: 0173B76A
                                  • GetCurrentThreadId.KERNEL32 ref: 0173B7C3
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 1ac9fc5bad3ce54b5c415ce8c1c159acb9c59e3b2bf2ac119a04eb7ad376c850
                                  • Instruction ID: 4dfb05c1d3cf5bc523c65def96593e2ea3d1db921ecaaeb3825a0731bf7e25e1
                                  • Opcode Fuzzy Hash: 1ac9fc5bad3ce54b5c415ce8c1c159acb9c59e3b2bf2ac119a04eb7ad376c850
                                  • Instruction Fuzzy Hash: 5D5154B4904649CFEB14CFA9C588B9EBBF4EF89314F24846AE009A7351C7746844CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0173B690, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0173B6F0
                                  • GetCurrentThread.KERNEL32 ref: 0173B72D
                                  • GetCurrentProcess.KERNEL32 ref: 0173B76A
                                  • GetCurrentThreadId.KERNEL32 ref: 0173B7C3
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 76a81b4fd33a2b32480bbd0bd285db27771c0f424a09e0aeb5baaadca1eac226
                                  • Instruction ID: f3815c9c4b752a06b348e2cae64b80c63a86f988565502d665bfd55e0cbe7ec2
                                  • Opcode Fuzzy Hash: 76a81b4fd33a2b32480bbd0bd285db27771c0f424a09e0aeb5baaadca1eac226
                                  • Instruction Fuzzy Hash: 0E5143B49046498FEB14CFAAC588BEEBBF4EF88314F24846AE409A7350C7746944CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B18E0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 082B1A5B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID: V
                                  • API String ID: 963392458-1342839628
                                  • Opcode ID: f7cd2634d0720252cb4d242fb3c6b82af8a45c92b49413aa69a8f81b3cd1e73f
                                  • Instruction ID: 8a42dab18345345c5c7119315ccd0d79db9d0a27bdb9d13017c9d5d8b77cb2ff
                                  • Opcode Fuzzy Hash: f7cd2634d0720252cb4d242fb3c6b82af8a45c92b49413aa69a8f81b3cd1e73f
                                  • Instruction Fuzzy Hash: 69619A71901369DFEF11CF99C890BDEBBB1BF49310F1580AAE948A7210CB745A89CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B1B49, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60threadinjectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 082B1BC7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: ContextThread
                                  • String ID: V
                                  • API String ID: 1591575202-1342839628
                                  • Opcode ID: acccb7c197d66db1ee800df222c11294ff11a496f0a1378fd2b389290fb86916
                                  • Instruction ID: 569810703b193af53b82eea604f4b101d33da7227de031f0044603fcfccf579d
                                  • Opcode Fuzzy Hash: acccb7c197d66db1ee800df222c11294ff11a496f0a1378fd2b389290fb86916
                                  • Instruction Fuzzy Hash: DF2158B1D1065A9FDB10CF9AC884BDEFBF8BB48325F14812AD418B3240D778A954CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01739690, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 017398D6
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: ad4380d2df55bf06d1c7ad936d7bf58f4ed17810df0c0c41669534fba9cb9d03
                                  • Instruction ID: c8bd193e61df417f68818d8accf5bfc4bb9014c105495a3a23ecc87b927d02c4
                                  • Opcode Fuzzy Hash: ad4380d2df55bf06d1c7ad936d7bf58f4ed17810df0c0c41669534fba9cb9d03
                                  • Instruction Fuzzy Hash: 30711370A00B058FD725DF2AD44479ABBF1BF88308F108A2DD69AD7A51D775E805CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B1908, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 082B1A5B
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 34c1264e67f374e7e2a3970967dc10480da0816b3f7706baba76c3f0066402b3
                                  • Instruction ID: 4d5daf30d646b6b753836b17f4ee91d98c2e3c402601c65d26c9c34b9d5c1196
                                  • Opcode Fuzzy Hash: 34c1264e67f374e7e2a3970967dc10480da0816b3f7706baba76c3f0066402b3
                                  • Instruction Fuzzy Hash: 6A511A71901329DFDF10CF95C880BDDBBB5BF48314F15809AE908A7210DB755A95CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0173FCEE, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0173FE0A
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 80981c2932fa54e89698d9f997759c37016ecaba0588a10d2b8b3d452cba9e78
                                  • Instruction ID: e69765e1f937f8fd63fed3bd130e41c8b849637bb3f84bda146bb19d20795093
                                  • Opcode Fuzzy Hash: 80981c2932fa54e89698d9f997759c37016ecaba0588a10d2b8b3d452cba9e78
                                  • Instruction Fuzzy Hash: A151D0B1D003099FEB14CFA9C884ADEFFB1BF88754F24812AE419AB211D7759985CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0173FCF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0173FE0A
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 20252277dce4ec8930bdb851f362b74251a7dbae5077b8d617e6f971e670a26c
                                  • Instruction ID: f7f40c9751411faa40aeef4930b88da7b467e661aa02840b710731557b86b48c
                                  • Opcode Fuzzy Hash: 20252277dce4ec8930bdb851f362b74251a7dbae5077b8d617e6f971e670a26c
                                  • Instruction Fuzzy Hash: 8541C1B1D003099FDB14CFAAC884ADEFFB5BF88754F24812AE419AB211D7749985CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01735364, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 01735421
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 01cb4ab554f091a8bdee4cd886faf5851ee6c82061ebe786d4f0c6cef405d51e
                                  • Instruction ID: 84983dc938272db7c79ec9a71ed72642676a070491bc59dee8b9ec96a1094042
                                  • Opcode Fuzzy Hash: 01cb4ab554f091a8bdee4cd886faf5851ee6c82061ebe786d4f0c6cef405d51e
                                  • Instruction Fuzzy Hash: 384105B1D04629CFDB24CFA9C884BCDFBB1BF89304F21806AD418AB251D7755986CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017338A8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 01735421
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 575743981e73dbd1f24acdad681470fc765b73f0e344be83f1d37da6845f88c4
                                  • Instruction ID: 5931fe51a8b2e4d9dca75c67b552884de64d5d820c35cb04f6f828443b5efe56
                                  • Opcode Fuzzy Hash: 575743981e73dbd1f24acdad681470fc765b73f0e344be83f1d37da6845f88c4
                                  • Instruction Fuzzy Hash: C541F2B0D04619CFDB24DFA9C884BCEFBB5BF89304F118069D518AB251D7B55985CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B1D81, Relevance: 1.6, APIs: 1, Instructions: 67injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 082B1E15
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 596cc79efb3a78dd14fa7e454f2c48caf69e98b26165447df36fe470375137d1
                                  • Instruction ID: 708f0bd18bb00064a270e65fec12e059f80a79920476043500c78ee9ff610f2c
                                  • Opcode Fuzzy Hash: 596cc79efb3a78dd14fa7e454f2c48caf69e98b26165447df36fe470375137d1
                                  • Instruction Fuzzy Hash: 422103B5911289DFDB10CF9AD885BDEBBF4FF48311F00842AE518A7250D778A950CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B1D88, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 082B1E15
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 06dab052bd935af2aa6b25cfed27f8816a59b76ca11000eb9780383261f93a83
                                  • Instruction ID: fc0fb3ccef46a75682ed434423cb001e8bd6a24ce349bc66d1abab6d651c797e
                                  • Opcode Fuzzy Hash: 06dab052bd935af2aa6b25cfed27f8816a59b76ca11000eb9780383261f93a83
                                  • Instruction Fuzzy Hash: 722112B1901249DFDB10CF9AC885BDEBBF4FB48320F00842AE918A3240D778A950CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0173B8B2, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0173B93F
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: c6ca6208dd9139fb4e668c5a404d4654dcfb0cf9c85b79b9da0a319640ef2828
                                  • Instruction ID: ab2f67d35db23f8df8d16fe506ec6ef4b6fc57ceb62128929f2484eee4225444
                                  • Opcode Fuzzy Hash: c6ca6208dd9139fb4e668c5a404d4654dcfb0cf9c85b79b9da0a319640ef2828
                                  • Instruction Fuzzy Hash: 0121D2B5900259AFDB10CFAAD584BDEBFF8FB48320F14842AE954A7210D374A954CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B1C08, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 082B1C8F
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 9e73c625d4e40db97689470d30a6ae5a54a44c36e450c314b7ceee75fa32ebc4
                                  • Instruction ID: c0baf39501491dfe75ae3e0ba218212caf09097885340cfaa67123c123c1e1bf
                                  • Opcode Fuzzy Hash: 9e73c625d4e40db97689470d30a6ae5a54a44c36e450c314b7ceee75fa32ebc4
                                  • Instruction Fuzzy Hash: 5E2123B5801249DFDB10CF9AC984BDEBBF4BB48320F10842AE958A3210D3349A50CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0173B8B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0173B93F
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: cecc6ecb8b7751fdba59df146be4af1e610f7e22da1debd6d12290e6233454b3
                                  • Instruction ID: 5d349013e160f203d58189876d7b6788439103d624b78480f09b7b0f1807543c
                                  • Opcode Fuzzy Hash: cecc6ecb8b7751fdba59df146be4af1e610f7e22da1debd6d12290e6233454b3
                                  • Instruction Fuzzy Hash: C421B3B5900259AFDB10CF9AD584BDEFBF8EB48324F14842AE954A3210D374A954CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B1C10, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 082B1C8F
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: c6e674b8dde79021ac01fcfd12d675c76531fbccd7de15ca659bd1ecb1b1ee73
                                  • Instruction ID: 850ead4b6d302e21cc19d92b58332286213cf5343d2fa49ea96d795c8adb0487
                                  • Opcode Fuzzy Hash: c6e674b8dde79021ac01fcfd12d675c76531fbccd7de15ca659bd1ecb1b1ee73
                                  • Instruction Fuzzy Hash: C021E2B5901259DFDB10CF9AC884BDEFBF4FB48320F10842AE958A3250D378A954CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B1B50, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 082B1BC7
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: ContextThread
                                  • String ID:
                                  • API String ID: 1591575202-0
                                  • Opcode ID: 44b90067102daa6b36df4c0f703895dc01b5ad75caa24f7f107866abb87538b0
                                  • Instruction ID: 1eaf8cf989a018897a756d6775e7ae9a160269f5725d0f013e18817cece0ce6c
                                  • Opcode Fuzzy Hash: 44b90067102daa6b36df4c0f703895dc01b5ad75caa24f7f107866abb87538b0
                                  • Instruction Fuzzy Hash: 6D211AB1D1065A9FDB00CF9AC4457DEFBF8BB48324F14812AD418B3640D778A954CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01739AF0, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01739951,00000800,00000000,00000000), ref: 01739B62
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: fcf77459e72cf7d81f4c6f53fb06d2f17f97e3b765db633e7ddf3c9de244e1c7
                                  • Instruction ID: d2b31720cd8d99a803fe52bc1ec45f99cc470344e3c676184f1658b1c0337798
                                  • Opcode Fuzzy Hash: fcf77459e72cf7d81f4c6f53fb06d2f17f97e3b765db633e7ddf3c9de244e1c7
                                  • Instruction Fuzzy Hash: F72142B28003488FDB14CFAAC884BDEFBF4EB88324F05852AE555A7201C374A945CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017392A8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01739951,00000800,00000000,00000000), ref: 01739B62
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: fd74cfd463e4bef29b961601403344530e91b3bfd2c3e4e229e9244c3ec2436a
                                  • Instruction ID: fb3bb425ad1720a86df032e5e788599e0434516dc64ecda30216c3c4be203d7a
                                  • Opcode Fuzzy Hash: fd74cfd463e4bef29b961601403344530e91b3bfd2c3e4e229e9244c3ec2436a
                                  • Instruction Fuzzy Hash: E61114B69003499FDB14CF9AD484BDEFBF4EB88324F04852AE515A7200C3B4A545CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B1CD8, Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 082B1D4B
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 35ea0ff0c1d58bae362fcb891e1e616f590278c25ac1121308a12d3e590ca72d
                                  • Instruction ID: 6cf84e8d85fa87846463106e5a70b95a404018962dad397e82e473b830d12d47
                                  • Opcode Fuzzy Hash: 35ea0ff0c1d58bae362fcb891e1e616f590278c25ac1121308a12d3e590ca72d
                                  • Instruction Fuzzy Hash: D51102B5800689DFDB10CF99D985BDEBBF4FB48320F14881AE528A7210C375A550CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B4660, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 082B46C0
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 97e5e5055964cc5fa0f39834f4f10b945ca36185b40bdc2cf50dd4f16bbfb4e2
                                  • Instruction ID: 7410d1bd5d0641e3d733bf50221f0c59d0de821bff3b86434e077312dc96d293
                                  • Opcode Fuzzy Hash: 97e5e5055964cc5fa0f39834f4f10b945ca36185b40bdc2cf50dd4f16bbfb4e2
                                  • Instruction Fuzzy Hash: 361166B1800349CFDB20DF9AC584BDEBBF4EF48320F15842AD954A7201D738A545CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B1CE0, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 082B1D4B
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 3d341b307861f55814a4830a8448a1fd828aa8fa1c1cd50dc0f162fd2f15e60c
                                  • Instruction ID: 79d4cc8289ecacc5553e9bdd2a96e7f7a82c03447e5ad21b1357ee0ba98ae8a2
                                  • Opcode Fuzzy Hash: 3d341b307861f55814a4830a8448a1fd828aa8fa1c1cd50dc0f162fd2f15e60c
                                  • Instruction Fuzzy Hash: B711F2B5900689DFDB10CF9AC884BDEBFF8FB88324F148419E529A7210C375A954CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B4668, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 082B46C0
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: b6f2375e81fd53d8c3024086944813c714159876ce83bc88ae2964fb3fcd2c3d
                                  • Instruction ID: 7e3213e93437e958495733e52ae50f37a3d1a64d7f1bcb9e09d0047312671e81
                                  • Opcode Fuzzy Hash: b6f2375e81fd53d8c3024086944813c714159876ce83bc88ae2964fb3fcd2c3d
                                  • Instruction Fuzzy Hash: 771145B18003498FDB10DF9AC584BDEBBF4EF48320F14842AD958A7340D738A544CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B1E58, Relevance: 1.5, APIs: 1, Instructions: 47threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 292865a67214cb34b55ec742676ed062baa9911b090d88e83ee8ffb3fffa87c4
                                  • Instruction ID: e3f5f20ac7f3ca8dd352a973218a5e88bc96f1fd2a5fb0460164675443f3ecec
                                  • Opcode Fuzzy Hash: 292865a67214cb34b55ec742676ed062baa9911b090d88e83ee8ffb3fffa87c4
                                  • Instruction Fuzzy Hash: 7B1100B5800249CFDB10CF9AD588BDEBFF4EF48324F10881AE469A3640C779A544CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01739870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 017398D6
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: a63f22ea5b64a6a55e80afeb5b814f1399c4bf6194e396444cfcfb2163850c7d
                                  • Instruction ID: 7edac54c76c13a476b950354a42648f05ac9b55aa6140e40bb44a649a43bf933
                                  • Opcode Fuzzy Hash: a63f22ea5b64a6a55e80afeb5b814f1399c4bf6194e396444cfcfb2163850c7d
                                  • Instruction Fuzzy Hash: 59110FB6C006498FEB10CF9AC444BDEFBF8EB88324F14842AD529A7200C378A545CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B3758, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,?,?,?), ref: 082B37B5
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: c4a870aef898525e93cb682142788daa6d4228e154c1f98701a14a98da61f258
                                  • Instruction ID: 3dbaef552cce7562f966acd8aa4953fd197e5f6a999d7198b4f287ee9f06b395
                                  • Opcode Fuzzy Hash: c4a870aef898525e93cb682142788daa6d4228e154c1f98701a14a98da61f258
                                  • Instruction Fuzzy Hash: F411D0B58003499FEB10CF9AC988BDEBBF8EB48324F14841AE555A7700C375A994CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B3750, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,?,?,?), ref: 082B37B5
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: a6c335c41208c036322fc382cd0a92c0d4502beb606b7af22463436bf0cd0239
                                  • Instruction ID: 9184d009d1273dd6f3d475842319c356742c952244dfa3667a19e0677221cf18
                                  • Opcode Fuzzy Hash: a6c335c41208c036322fc382cd0a92c0d4502beb606b7af22463436bf0cd0239
                                  • Instruction Fuzzy Hash: F41103B98003499FEB10CF99D585BDEBBF8EF48324F14841AE454A7300C378A594CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 082B1E60, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.729634722.00000000082B0000.00000040.00000001.sdmp, Offset: 082B0000, based on PE: false
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 024ec081264a6bcfef0bf4817ad57894376a9b08bdf8c4629d71f5a821251a91
                                  • Instruction ID: 3002eb5d73728ffdb2a36c99a0cbc1a00e76a42167a393e9b848a0d0abd3168b
                                  • Opcode Fuzzy Hash: 024ec081264a6bcfef0bf4817ad57894376a9b08bdf8c4629d71f5a821251a91
                                  • Instruction Fuzzy Hash: 6A11F3B5800649CFDB10CF9AD484BDEFBF8EF49324F14841AD559A7640C775A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0173FF71, Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 0173FF9D
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720452862.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: aa2d344e4c1e819942b36b3eee8dba6c33bc02d029bd3d774ae21ed29cc812d0
                                  • Instruction ID: e9bb616061b8172ddd530dd2f7285ad466277d7ed6da0472b99a46949c63d677
                                  • Opcode Fuzzy Hash: aa2d344e4c1e819942b36b3eee8dba6c33bc02d029bd3d774ae21ed29cc812d0
                                  • Instruction Fuzzy Hash: 33F0E2B59042099FEB10CF89D484BDEFBF4EB88324F14851AE959A7241C378A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0789AAE8, Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.728599167.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: D0l
                                  • API String ID: 0-2225038300
                                  • Opcode ID: a7fbb4154d1db3a2f86877b997a9fab1daff258deca76e8ee7239feec309e501
                                  • Instruction ID: 4071dbbaacae0bef2be9fba09bec8e4966a058fbca200cec972f29532eb6eacd
                                  • Opcode Fuzzy Hash: a7fbb4154d1db3a2f86877b997a9fab1daff258deca76e8ee7239feec309e501
                                  • Instruction Fuzzy Hash: 37216B70B141089FDB08EBB4D859AEEBAB3EF89214F548039D602A7284DF355805CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07899383, Relevance: .4, Instructions: 374COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.728599167.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1409944d45f3ca75b4248b21eeb23f0f3e3174e1c8c89426e3b68d6a48057876
                                  • Instruction ID: 66a897d390f02e623bdb5e5316815f80064ed4086bc9d44e3c8949e094a4de21
                                  • Opcode Fuzzy Hash: 1409944d45f3ca75b4248b21eeb23f0f3e3174e1c8c89426e3b68d6a48057876
                                  • Instruction Fuzzy Hash: 4CE16AF0D1921DCBDF10CFA8C8407EDBBB9AB6A318F0891A9D55AE7381D73499848F51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0789AC00, Relevance: .1, Instructions: 141COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.728599167.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 814ed93e4480ccacc7b99385f37601388828f8ca89d87cb27d43f2effe989a72
                                  • Instruction ID: 1771f25884472f12ec4558bb87ceda39620b9c803ddc2c3490783078db467dd1
                                  • Opcode Fuzzy Hash: 814ed93e4480ccacc7b99385f37601388828f8ca89d87cb27d43f2effe989a72
                                  • Instruction Fuzzy Hash: 804191B1B001168FCF5CDF78C4446AE7AE2EF99219B19C47AD419EB351DB398C81C792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0789949B, Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.728599167.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b494f006abf279ef9e85ed59d9906e435ce711cbe235310855c1272a492e0850
                                  • Instruction ID: 2a18877870a34c59fc5fb0148d9b3c1887c6fb307958c6db3a34c52bb3b4034f
                                  • Opcode Fuzzy Hash: b494f006abf279ef9e85ed59d9906e435ce711cbe235310855c1272a492e0850
                                  • Instruction Fuzzy Hash: 583117B4D0D11DCBDF20CF54C9417EEB7B8ABAA318F0891E9C51AE3241D7746A808F91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 078994C4, Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.728599167.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ae9db33b5971ecf03feb73558ee4a23510c1471ad76b93ca21f0ecd5aa93b5f3
                                  • Instruction ID: a4dc2fb03b730cde272e73eb18bacedd9b5e851c0f072a2518c2a995574ed4a9
                                  • Opcode Fuzzy Hash: ae9db33b5971ecf03feb73558ee4a23510c1471ad76b93ca21f0ecd5aa93b5f3
                                  • Instruction Fuzzy Hash: 99312DB0D0911DCBDF20CF54C9417EDB6B8ABAA318F0892E9C51AE7281D7746E84CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 078994E1, Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.728599167.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 479bb3e75037d110c20fe51a443ffa44d32ad14829ba10e33a77f9f2b8d10623
                                  • Instruction ID: f243655bbb60e1c68e7382cdf5d43c85057f2d5df988f87f5779ce1fe4df3c87
                                  • Opcode Fuzzy Hash: 479bb3e75037d110c20fe51a443ffa44d32ad14829ba10e33a77f9f2b8d10623
                                  • Instruction Fuzzy Hash: B3212CB0D0911CCBDF20CF54C9413EDB7B8ABAA318F0892E9D55AE7281D7746A85CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 016DD4C4, Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720353068.00000000016DD000.00000040.00000001.sdmp, Offset: 016DD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ac1558760a449a0986f98dec5a5db3494e212e606d572f3456631c8e9a58589b
                                  • Instruction ID: 7a8147389c6303075977056ba7974d96049286bb60616749e8ff17f7d427085a
                                  • Opcode Fuzzy Hash: ac1558760a449a0986f98dec5a5db3494e212e606d572f3456631c8e9a58589b
                                  • Instruction Fuzzy Hash: A22128B1904240EFDB01EF54DCC0F26BF65FB88318F24C669D9054B286C336D856C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 016ED01C, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720376103.00000000016ED000.00000040.00000001.sdmp, Offset: 016ED000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 26cabba97d95f31a4d84d5aee795c74469df29938aa6adbc0a26dfb6684d418c
                                  • Instruction ID: 426334b1faf5db7350b07b855e37fd7c57e30050f28f8fcd289d8a8716b350de
                                  • Opcode Fuzzy Hash: 26cabba97d95f31a4d84d5aee795c74469df29938aa6adbc0a26dfb6684d418c
                                  • Instruction Fuzzy Hash: 482104B1608240DFDB15CF54D8C8B26BFA5FB84354F28CB69D94A4B346C73AD847CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 016ED1D4, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720376103.00000000016ED000.00000040.00000001.sdmp, Offset: 016ED000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 861ab4ba363f6a0c45ee3c709d47aa46200b03d88ef79f51361fc10b762a8c58
                                  • Instruction ID: 72caeb15c77633c15aec71b91540b2751d8619440b73fe2d6192075225a6161f
                                  • Opcode Fuzzy Hash: 861ab4ba363f6a0c45ee3c709d47aa46200b03d88ef79f51361fc10b762a8c58
                                  • Instruction Fuzzy Hash: 522107B5504240EFDB01CF94D9C8B26BBA5FB84324F24C76DDA494B346C736D846CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 016ED006, Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720376103.00000000016ED000.00000040.00000001.sdmp, Offset: 016ED000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c83489858b93a0ae8d9a5d6f3f8f6a45badf7db5ed7789bc130252ae55b8db4f
                                  • Instruction ID: 853b35c3db6dab404b73587e3f423a7a6f40540bec3ef59447606222cc061f88
                                  • Opcode Fuzzy Hash: c83489858b93a0ae8d9a5d6f3f8f6a45badf7db5ed7789bc130252ae55b8db4f
                                  • Instruction Fuzzy Hash: 5E2192755093808FDB03CF24D994715BFB1EB46214F28C6DAD8498F667C33A980ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0789A4F0, Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.728599167.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 98cb4e2bee0067c6888a633eb3cc6a13602135c755f977d471ef8a1419d005a3
                                  • Instruction ID: 3ebc46d0f51326545022391ba17dc3a1c98b63657fbfcb735d5589164f1499e4
                                  • Opcode Fuzzy Hash: 98cb4e2bee0067c6888a633eb3cc6a13602135c755f977d471ef8a1419d005a3
                                  • Instruction Fuzzy Hash: CF1177B0B1411AABDF18AEB9881067F76B6EB95754F08C139E916DB341EB34CD00C7D2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 016DD4BF, Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720353068.00000000016DD000.00000040.00000001.sdmp, Offset: 016DD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                  • Instruction ID: 06d27b5eaf322e36193b17e933f793861f36d70dcca52cfaf75422b431497d1d
                                  • Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                  • Instruction Fuzzy Hash: 0F11B176804280DFDB12DF54D9C4B16BF71FB84324F24C6A9D8450B657C33AD456CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 016ED1CF, Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720376103.00000000016ED000.00000040.00000001.sdmp, Offset: 016ED000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84522397b0c0072479584b34e9b527c289f971b5c41eac134402e64a3c6926ae
                                  • Instruction ID: 40b1a50b21ad200b99dbcd2cfee9daf69be9f6e71d3e682f497d832fd6707817
                                  • Opcode Fuzzy Hash: 84522397b0c0072479584b34e9b527c289f971b5c41eac134402e64a3c6926ae
                                  • Instruction Fuzzy Hash: 1211BB75904280DFDB02CF54D9C8B15FBB1FB84224F28C6AAD9494B796C33AD44ACB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 016DD745, Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720353068.00000000016DD000.00000040.00000001.sdmp, Offset: 016DD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: afe488873ecf9d876c3c063e60f3a56e607f62a1c6e053e181598c5663df5831
                                  • Instruction ID: 55d1876c3c3dcd97b0a42436652e81d8ad914ed07522d8de2425a7a7cebc0298
                                  • Opcode Fuzzy Hash: afe488873ecf9d876c3c063e60f3a56e607f62a1c6e053e181598c5663df5831
                                  • Instruction Fuzzy Hash: 700120718083C0AAF7105E55CC84B76BBD8EF41274F0AC59AEE054B3C6C379D845C6B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 016DD744, Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.720353068.00000000016DD000.00000040.00000001.sdmp, Offset: 016DD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 35d22c27c562c9e4c37523e70764d85f0d2b0bebb79ed24e5ec4cb625717363a
                                  • Instruction ID: dfd5b970f5cae1b71f8118ea06b07bda59b1184572bd0f013e3bebe2959f611d
                                  • Opcode Fuzzy Hash: 35d22c27c562c9e4c37523e70764d85f0d2b0bebb79ed24e5ec4cb625717363a
                                  • Instruction Fuzzy Hash: F1F06271804384AAF7119E1ACC84B62FFA8EB81674F19C45AED085B386C3799844CAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 078962AE, Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.728599167.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8f070a31c2dc82972466be25b76375dbbe2663493850cfb86bf6b09bee03071e
                                  • Instruction ID: d1ebd3e0a4ec040b24cd9b06b6645a2166314c470b3be710c07c7cd77990b051
                                  • Opcode Fuzzy Hash: 8f070a31c2dc82972466be25b76375dbbe2663493850cfb86bf6b09bee03071e
                                  • Instruction Fuzzy Hash: 01F0A4B4A59319DFDB04CBA4D8186EDBBB4FF1B308F18516AE41AEB262E73448018B11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0789E980, Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.728599167.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d140542219d4a894a0ac3b9cde030f55e9afc990486ac69cd066b8f266b57829
                                  • Instruction ID: d51f187a1d754d1365478a0ef919eb07dcf13cf9f476e2b60732d9d0cb4ac4de
                                  • Opcode Fuzzy Hash: d140542219d4a894a0ac3b9cde030f55e9afc990486ac69cd066b8f266b57829
                                  • Instruction Fuzzy Hash: 83E0C974D56248DFCB50EFA4E505AADBFB8FB45304F10A1A9D815A3244EB346900CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 07896BAC, Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.728599167.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1cc72de90b5d96ab546d4094697fd0fb9e96a6f6c1388699b132575dbbe275e9
                                  • Instruction ID: 25317de77e3c3250a7b34a95d6cccc3286d0c2f76b7e5ea3ba193266c56f48db
                                  • Opcode Fuzzy Hash: 1cc72de90b5d96ab546d4094697fd0fb9e96a6f6c1388699b132575dbbe275e9
                                  • Instruction Fuzzy Hash: A4F0977492521ECBDB55DF24D8556E8BFB5FB49315F1091E5990A93290DB302E81CF80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0789686B, Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.728599167.0000000007890000.00000040.00000001.sdmp, Offset: 07890000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3241f2f9eac813c825b1b74bad19e263a8b22f71fef20028898e2e6f8dcb0c98
                                  • Instruction ID: 1cb5a57ed1559a970c83feb89e3f3329f1b58c1ec52687d4161717774f7b1cbb
                                  • Opcode Fuzzy Hash: 3241f2f9eac813c825b1b74bad19e263a8b22f71fef20028898e2e6f8dcb0c98
                                  • Instruction Fuzzy Hash: F3E0C97091512ACFCB20DF24C9947E8BBB1EB49310F1093A5D919A73D4DB302E41CF40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Analysis Process: Items_02559-02663.pdf.exe PID: 5880 Parent PID: 472 Items_02559-02663.pdf.exeCOMMON

                                  Executed Functions

                                  Function 017DB6C0, Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 017DB730
                                  • GetCurrentThread.KERNEL32 ref: 017DB76D
                                  • GetCurrentProcess.KERNEL32 ref: 017DB7AA
                                  • GetCurrentThreadId.KERNEL32 ref: 017DB803
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.736284215.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 32ea07b8b0c4a92da0270d3da1b26d9cb1f3747b4412f4e6980159ac8a65fcca
                                  • Instruction ID: 7b99d94069c704824fedb44fc62bf1cbde0facda9af9f1d2786628e38080771d
                                  • Opcode Fuzzy Hash: 32ea07b8b0c4a92da0270d3da1b26d9cb1f3747b4412f4e6980159ac8a65fcca
                                  • Instruction Fuzzy Hash: 225164B4D042488FDB14CFAAC588BDEBBF1BF89324F25846AE109A7350D7345944CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017DB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 017DB730
                                  • GetCurrentThread.KERNEL32 ref: 017DB76D
                                  • GetCurrentProcess.KERNEL32 ref: 017DB7AA
                                  • GetCurrentThreadId.KERNEL32 ref: 017DB803
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.736284215.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 83c7dc78db0bda1b1829078a8aff051900763c9159602ccae6a3d5c90093ecf7
                                  • Instruction ID: 2a247c5f46628954972d654180f0479c7cf0221879e1ae1176ddf3900d902e1e
                                  • Opcode Fuzzy Hash: 83c7dc78db0bda1b1829078a8aff051900763c9159602ccae6a3d5c90093ecf7
                                  • Instruction Fuzzy Hash: BF5164B49042488FEB14CFAAC548BDEBBF1BF49324F25846AE109A7350C7746944CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031C17E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 383fa8b56d4f111ed8f90b7c8ddc57fcd3313d05046e45fb7bb3c4a64e84a7c7
                                  • Instruction ID: a36ee5252a3aa551c7edca4e22b9540b586a69506e4b90af81881285c6c1adb8
                                  • Opcode Fuzzy Hash: 383fa8b56d4f111ed8f90b7c8ddc57fcd3313d05046e45fb7bb3c4a64e84a7c7
                                  • Instruction Fuzzy Hash: C3227274E20289CFDF18DB98D584AAEBBB2FF6D310F15856AD4016B355C734E882CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017DFAA0, Relevance: 1.8, APIs: 1, Instructions: 289COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.736284215.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f68e40a0027cc02589319d69268caca6897381fe61ab68a24efa159e6a93a80
                                  • Instruction ID: 5c08d7e83745b14fc7dbabcfa36fbffd59eefe81c319c600e84dc895695f3b70
                                  • Opcode Fuzzy Hash: 3f68e40a0027cc02589319d69268caca6897381fe61ab68a24efa159e6a93a80
                                  • Instruction Fuzzy Hash: ABA15F72C093889FDB16CFB8C890AC9BFB1FF4A300F19819AE4559B262D7359946CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017D93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 017D962E
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.736284215.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 2bc5f35e631a936ad4a381e1b380c02b3a1c635ab0a4ffd3e94365434181b963
                                  • Instruction ID: 6e51f9a22ad49c2d43b2eae40dafe0441b3ce3619662a35f40836044d07cd1d2
                                  • Opcode Fuzzy Hash: 2bc5f35e631a936ad4a381e1b380c02b3a1c635ab0a4ffd3e94365434181b963
                                  • Instruction Fuzzy Hash: F8711370A00B098FE724DF6AC44475BBBF1BF88218F108A2DD68AD7A54DB74E845CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017DFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017DFD0A
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.736284215.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: eca10c7dc6a59af56faa9efbc5cd4025118b32f7d7e0c66017b68aa3b3b8133c
                                  • Instruction ID: f364fe6773016033b11ff450d2746e280321119c5cd334cae5f41861aa65dd8d
                                  • Opcode Fuzzy Hash: eca10c7dc6a59af56faa9efbc5cd4025118b32f7d7e0c66017b68aa3b3b8133c
                                  • Instruction Fuzzy Hash: AA41B1B1D003099FDB14CF99D884ADEFBB5BF48314F24812AE819AB250D7759985CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031C3474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 031C46B1
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 9c24dffdea56292dfc3adc3fac3d910cfbae5e1db16c23c24abefbef6a9e5c8c
                                  • Instruction ID: 1740bd05426dd24637e9a84d929d7ff47c6d4e3919446e834c086ba42cb60ad5
                                  • Opcode Fuzzy Hash: 9c24dffdea56292dfc3adc3fac3d910cfbae5e1db16c23c24abefbef6a9e5c8c
                                  • Instruction Fuzzy Hash: E84101B0C0466DCBDB24DFAAC8447CEBBF1BF49304F21806AD408AB255DBB56949CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031C45F4, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 031C46B1
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 2fe0d609902fcfbd2cfe6ebdf8bc441705a04d5ecb99397484ccb64ed2f313f6
                                  • Instruction ID: af89ce2d889666c715e9336d83a436459b41c8fd020b458ebb6ca2cf632544d2
                                  • Opcode Fuzzy Hash: 2fe0d609902fcfbd2cfe6ebdf8bc441705a04d5ecb99397484ccb64ed2f313f6
                                  • Instruction Fuzzy Hash: 1E4113B0C04259CFDB24CFAAC844BCEBBB1BF49304F158069D408AB255DBB46945CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031C2470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 031C2531
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: CallProcWindow
                                  • String ID:
                                  • API String ID: 2714655100-0
                                  • Opcode ID: db95957935c4dd9e30b2ea0bf19be4a548ffdb9f971451851e1b8218a9956b93
                                  • Instruction ID: 5aee317af433d42b95c42904e58cdf614484695833b623404c94f20b7fd8b78c
                                  • Opcode Fuzzy Hash: db95957935c4dd9e30b2ea0bf19be4a548ffdb9f971451851e1b8218a9956b93
                                  • Instruction Fuzzy Hash: 5A4105B4A102458FDB14CF99C488AABFBF5FF98314F15885DD519AB321D734A841CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031CB889, Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 031CB957
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: CreateFromIconResource
                                  • String ID:
                                  • API String ID: 3668623891-0
                                  • Opcode ID: 51421bf8743f868d526e3984136c36c1a8cc5fc884998362eacdafc69ee4ceb9
                                  • Instruction ID: 30f4bb670ad468f149c074bd67de537b488c3cbaf75f6c3b209b67e92377714a
                                  • Opcode Fuzzy Hash: 51421bf8743f868d526e3984136c36c1a8cc5fc884998362eacdafc69ee4ceb9
                                  • Instruction Fuzzy Hash: 0731ABB28042899FCB01CFA9D841BEEBFF4EF19310F08806AE554E7261C3399854DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017DBCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017DBD87
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.736284215.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 897a090b8b589ff5d11b9ceba67a7c2a2243391c0e6fa1fddbb6d688385c764e
                                  • Instruction ID: ec2ba6622ae90eb040cf7009178ce19671b1407bbe6f14ed9c9783aff55b7337
                                  • Opcode Fuzzy Hash: 897a090b8b589ff5d11b9ceba67a7c2a2243391c0e6fa1fddbb6d688385c764e
                                  • Instruction Fuzzy Hash: 0A21D4B5900248AFDB10CFA9D984AEEBFF4FB48320F14851AE954A3210C378A954CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017DBD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017DBD87
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.736284215.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 4468b41fa61a2c6f1b9fcec1b25daab3af2c515fb9bb440d54b5cd586f7de823
                                  • Instruction ID: 5a68021b14db2ac1c8179f23f4eee376263cbf400f7ac0fd3c3b4b8d69d2ed5d
                                  • Opcode Fuzzy Hash: 4468b41fa61a2c6f1b9fcec1b25daab3af2c515fb9bb440d54b5cd586f7de823
                                  • Instruction Fuzzy Hash: E921C6B59002499FDB10CF9AD584ADEFFF4FB48324F15841AE954A3350D378A954CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017D9849, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017D96A9,00000800,00000000,00000000), ref: 017D98BA
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.736284215.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 712430c88d0e7102a114b2810c72013fa10bfae11f892dc2df527dafa64756ac
                                  • Instruction ID: 41aa345e131dbebeb1085f8e7fdc02477f47105fb9d8b81f653615e7bb56b3e0
                                  • Opcode Fuzzy Hash: 712430c88d0e7102a114b2810c72013fa10bfae11f892dc2df527dafa64756ac
                                  • Instruction Fuzzy Hash: A21103B6C002499FDB10CFAAD484BDEFBF4AB88314F14852AE519A7600C378A545CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017D8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017D96A9,00000800,00000000,00000000), ref: 017D98BA
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.736284215.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 375cd35cc1e0308b8ae2eea38e0f272e487b5f3aa192fdddff870ffd4f29baa0
                                  • Instruction ID: 86b49119ab74238d6f8730357639ff0e314df8d17a3ea512bd54823fe2638060
                                  • Opcode Fuzzy Hash: 375cd35cc1e0308b8ae2eea38e0f272e487b5f3aa192fdddff870ffd4f29baa0
                                  • Instruction Fuzzy Hash: 6311FFB69042499FDB10CF9AC444BDEFBF4AB88724F04842EE619A7600C379A945CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031CB8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 031CB957
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: CreateFromIconResource
                                  • String ID:
                                  • API String ID: 3668623891-0
                                  • Opcode ID: 8903eef5dc101cf91bca173eb56755557007df22491201d597fe4595bf9dd169
                                  • Instruction ID: e1bc33d278230c1baeff550e6a98ce23c30ae924d14c43bda18583074354c140
                                  • Opcode Fuzzy Hash: 8903eef5dc101cf91bca173eb56755557007df22491201d597fe4595bf9dd169
                                  • Instruction Fuzzy Hash: 2D1146B1800249DFDB10CFAAD944BDEBFF8EF58320F14841AE554A3210C339A954DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031C32D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,014053E8,00000000,?), ref: 031CE73D
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 540b471e8e6f28f0ed0c1b90842f098962a37369af4f1042b1d59cdf25df87f0
                                  • Instruction ID: 10dfd6b1da63987232d22dd00af07eb016af50301494a6d2ebd71577ca3fe529
                                  • Opcode Fuzzy Hash: 540b471e8e6f28f0ed0c1b90842f098962a37369af4f1042b1d59cdf25df87f0
                                  • Instruction Fuzzy Hash: DE1128B58003499FDB10CF99C845BEEFBF8FB58320F14841AE554A3640D378A984CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031CE6D8, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,014053E8,00000000,?), ref: 031CE73D
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 7833d7624c6f10a0ff949268cb4c6f993cfaa879600a172909ec8079f4df5628
                                  • Instruction ID: 8e5dcc272601acbe0193823c61cb34b299a0063604263106f2d94afcb67b9582
                                  • Opcode Fuzzy Hash: 7833d7624c6f10a0ff949268cb4c6f993cfaa879600a172909ec8079f4df5628
                                  • Instruction Fuzzy Hash: 1E1125B58003499FDB10CF9AC885BDEBBF8EB58324F14841AE558A3650D378A984CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017DFE38, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 017DFE9D
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.736284215.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: bad92d643e7c320ef62fc107a1e3774c1b6cadb7c2618ffa1dca42ace07abbd0
                                  • Instruction ID: 6f8541e4982a2e3b28390a883678a10e43c4688d18d9f978b4dc91fab3a02eb9
                                  • Opcode Fuzzy Hash: bad92d643e7c320ef62fc107a1e3774c1b6cadb7c2618ffa1dca42ace07abbd0
                                  • Instruction Fuzzy Hash: 0B1125B5800249CFDB10CF99D484BDEFBF4EB48324F10851AD855A3200C378A985CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017D95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 017D962E
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.736284215.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 268412eaa698f242415e40e3a36b6e1ca71f0264a3193f96d20075ea7b1e2b56
                                  • Instruction ID: 52c62691b8032bb7d906a7dc165b6a47010932054f1e8211652938876c76be13
                                  • Opcode Fuzzy Hash: 268412eaa698f242415e40e3a36b6e1ca71f0264a3193f96d20075ea7b1e2b56
                                  • Instruction Fuzzy Hash: 5711E0B5C006498FDB10CF9AC444BDEFBF4EF88324F14842AD559A7610C379A545CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031CF3D8, Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleInitialize.OLE32(00000000), ref: 031CF435
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: 95a500d359f1a821e1eb4c5ddba2fe4e0822d2a4263bb49b54c0ffc30eb29175
                                  • Instruction ID: e1e351971be3c079fa9aed94a39124293f3422cb590a3bc507861e54731f8c57
                                  • Opcode Fuzzy Hash: 95a500d359f1a821e1eb4c5ddba2fe4e0822d2a4263bb49b54c0ffc30eb29175
                                  • Instruction Fuzzy Hash: 8C1133B08002488FCB10CFA9D588BDEBFF4EB48324F148529E559B3200C378A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031CD238, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000018,00000001,?), ref: 031CD29D
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: ef67ff6080da0e433c72eab31240e7d7e9fd32e49d113503f95ef0f92e4abad5
                                  • Instruction ID: f7932028fdbbac919148a52c309dc462dc90db0eb6402cea9ffa19f8f432db4e
                                  • Opcode Fuzzy Hash: ef67ff6080da0e433c72eab31240e7d7e9fd32e49d113503f95ef0f92e4abad5
                                  • Instruction Fuzzy Hash: 0E1103B58003499FDB10CF9AD885BDEBFF8FB58320F14841AE559A3640C378A544CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031C50D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000018,00000001,?), ref: 031CD29D
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 9f8b52f1ec6298233debff629044578e88db00691689974e9d2a9ceb2bf73835
                                  • Instruction ID: 7bb42d294a17534fdecf9d3fbe6c4ceafec4020b2279e1bdcbb586ed3be25ce2
                                  • Opcode Fuzzy Hash: 9f8b52f1ec6298233debff629044578e88db00691689974e9d2a9ceb2bf73835
                                  • Instruction Fuzzy Hash: 4911F5B58002499FDB10CF99D944BDEFBF8EB58320F148419E955A7700C375A984CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031CA548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 031CBCBD
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 6ddf84f4a13fba5400c2d17e1b7a81a7b46154a8e050939d1254811302c15c9f
                                  • Instruction ID: d77254f4b99abd4dc0580cbcd4e694cbd6b1a5682e3df3ac86a09012ac0e2381
                                  • Opcode Fuzzy Hash: 6ddf84f4a13fba5400c2d17e1b7a81a7b46154a8e050939d1254811302c15c9f
                                  • Instruction Fuzzy Hash: 231110B58042489FDB10CF99C885BDEBBF8EB58320F10841AE559A3600C374A984CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031C1540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,031C226A,?,00000000,?), ref: 031CC435
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 833dfb6553865859a757b771214be9f542c2c310123531d73929e069406e22de
                                  • Instruction ID: 1fe516a76f0308f52fb395e362fdad743e3a24ab5e3402574e2eeb931fb0e397
                                  • Opcode Fuzzy Hash: 833dfb6553865859a757b771214be9f542c2c310123531d73929e069406e22de
                                  • Instruction Fuzzy Hash: 6711F5B58007499FDB10CF99D884BDEFBF8FB58324F148419E559A7600C374A984CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031CC3D0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,031C226A,?,00000000,?), ref: 031CC435
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 64f478e4cf0c206f06b2a1d380a154fe07be0ee8630f5134856332445ed6ccb0
                                  • Instruction ID: f0fe9d150b813c39bf624b2b646d729277dc3b995bf8c94615960994a2a5181f
                                  • Opcode Fuzzy Hash: 64f478e4cf0c206f06b2a1d380a154fe07be0ee8630f5134856332445ed6ccb0
                                  • Instruction Fuzzy Hash: 511103B58002499FDB10CF99C885BDEFFF8EB58324F14841AE559A3600C374A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031CBC59, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 031CBCBD
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: ca74e13797944b99b6bd1f4bdbfa26a097629583bf0dfb813df6c3d1e89ad086
                                  • Instruction ID: 58462d583d38ec0987b169359f8ed29787278554afa7da26f0b613fccfea6e2d
                                  • Opcode Fuzzy Hash: ca74e13797944b99b6bd1f4bdbfa26a097629583bf0dfb813df6c3d1e89ad086
                                  • Instruction Fuzzy Hash: B711F2B58006499FDB10CF99D885BDFBBF8EB58320F14841AE459A7600C378AA44CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 031CDC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleInitialize.OLE32(00000000), ref: 031CF435
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.737744890.00000000031C0000.00000040.00000001.sdmp, Offset: 031C0000, based on PE: false
                                  Similarity
                                  • API ID: Initialize
                                  • String ID:
                                  • API String ID: 2538663250-0
                                  • Opcode ID: 023e19d41e2ad26c6afe9ae44a1dc086214fda86b4dd67242bb719f23636af60
                                  • Instruction ID: 23f81d9cdf5cf79ed824cae92db2bf53044d6cebb46cadba39e186e0f1f35ed7
                                  • Opcode Fuzzy Hash: 023e19d41e2ad26c6afe9ae44a1dc086214fda86b4dd67242bb719f23636af60
                                  • Instruction Fuzzy Hash: 651145B08042488FCB10CF99C448BDEFBF4EB48324F14842AE559B3300C378A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 017DFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 017DFE9D
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.736284215.00000000017D0000.00000040.00000001.sdmp, Offset: 017D0000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 5310e7e41f1e51e99c8b3bb6d84ef63e4754530e6f74c606e8ce2c976fc68437
                                  • Instruction ID: 5d59a9f4ca49df24017894644ee8a37e25aa0cef0a8140b57e69f8a93aff04b0
                                  • Opcode Fuzzy Hash: 5310e7e41f1e51e99c8b3bb6d84ef63e4754530e6f74c606e8ce2c976fc68437
                                  • Instruction Fuzzy Hash: 871112B58002499FDB10CF9AD484BDEFBF8EB48324F10841AE959A3340C378A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0136D4A0, Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.735943289.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1d0ce984b90ce54a9a6c00d5373eb976b2e6f92b47fac6d6bae0a012d27fe8b
                                  • Instruction ID: 7816b1856183b9bcfec5ac16e13137d4295b8e88f8cc16db61908577b3f34a15
                                  • Opcode Fuzzy Hash: f1d0ce984b90ce54a9a6c00d5373eb976b2e6f92b47fac6d6bae0a012d27fe8b
                                  • Instruction Fuzzy Hash: B7213AB1604244DFDB12CF54D8C0B66BF69FB8432CF24C669DA454B60BC736D856C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0137D01C, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.735973424.000000000137D000.00000040.00000001.sdmp, Offset: 0137D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 790cd310c15ce667393b693ae35b4b487e3fb527d1d225b66ea9f0a1d150144d
                                  • Instruction ID: 1ade610942657a5e6633009b71b7ff65d8e654bd5cbd3d2a1e6a5fb29f5151ee
                                  • Opcode Fuzzy Hash: 790cd310c15ce667393b693ae35b4b487e3fb527d1d225b66ea9f0a1d150144d
                                  • Instruction Fuzzy Hash: 30213771504244DFDB22CF54D8C0B16BB65FF84358F24C66DD9494B246C33AD807CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0137D006, Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.735973424.000000000137D000.00000040.00000001.sdmp, Offset: 0137D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7891b7ac2c193c7b5e64ba00696b41969606654b1fe2082de90d4d347c92e470
                                  • Instruction ID: 2ed0c5ce66127b59b2858ff5eeca28c46ade0327c0446c46fd0774040ebbc80d
                                  • Opcode Fuzzy Hash: 7891b7ac2c193c7b5e64ba00696b41969606654b1fe2082de90d4d347c92e470
                                  • Instruction Fuzzy Hash: 9B219F755093808FDB13CF24D994B15BF71EF46218F28C5EAD8498F667C33A980ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0136D49B, Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.735943289.000000000136D000.00000040.00000001.sdmp, Offset: 0136D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                  • Instruction ID: 04d35016783f51e0443092e6a4850af21895985cd928064545ed17694131e5a6
                                  • Opcode Fuzzy Hash: 987ae082b2f359035be596b84dcad585c5d9c7b80c54fd1badd6de72d9b1f1a2
                                  • Instruction Fuzzy Hash: ED11E172904280CFDB12CF44D5C4B16BF71FB84328F24C2A9D9450B61BC33AD456CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions