Loading ...

Play interactive tourEdit tour

Analysis Report QuotationOrder.pdf.exe

Overview

General Information

Sample Name:QuotationOrder.pdf.exe
Analysis ID:412361
MD5:14e431bcb3fdb77cd13912a5cbef9e40
SHA1:717c23d8bd639b9e22e2de994ef8ef87f575b48c
SHA256:378932d5fc866bfe3ae59abe125e21da19ae9fd819976fd1fdd73f8fce110b7e
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Nanocore RAT
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • QuotationOrder.pdf.exe (PID: 6248 cmdline: 'C:\Users\user\Desktop\QuotationOrder.pdf.exe' MD5: 14E431BCB3FDB77CD13912A5CBEF9E40)
    • schtasks.exe (PID: 6348 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RLaczhWDn' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF14.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 6400 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "7d9d1b37-9225-4679-a6f4-60db74de", "Group": "TBOSS1", "Domain1": "194.5.98.19", "Domain2": "tboss1.ddns.net", "Port": 53795, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xc5065:$x1: NanoCore.ClientPluginHost
  • 0xc50a2:$x2: IClientNetworkHost
  • 0xc8bd5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xc4dcd:$a: NanoCore
    • 0xc4ddd:$a: NanoCore
    • 0xc5011:$a: NanoCore
    • 0xc5025:$a: NanoCore
    • 0xc5065:$a: NanoCore
    • 0xc4e2c:$b: ClientPlugin
    • 0xc502e:$b: ClientPlugin
    • 0xc506e:$b: ClientPlugin
    • 0xc4f53:$c: ProjectData
    • 0xc595a:$d: DESCrypto
    • 0xcd326:$e: KeepAlive
    • 0xcb314:$g: LogClientMessage
    • 0xc750f:$i: get_Connected
    • 0xc5c90:$j: #=q
    • 0xc5cc0:$j: #=q
    • 0xc5cdc:$j: #=q
    • 0xc5d0c:$j: #=q
    • 0xc5d28:$j: #=q
    • 0xc5d44:$j: #=q
    • 0xc5d74:$j: #=q
    • 0xc5d90:$j: #=q
    00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x14844d:$x1: NanoCore.ClientPluginHost
    • 0x14848a:$x2: IClientNetworkHost
    • 0x14bfbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 6 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.QuotationOrder.pdf.exe.446ded8.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.QuotationOrder.pdf.exe.446ded8.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.QuotationOrder.pdf.exe.446ded8.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.QuotationOrder.pdf.exe.446ded8.3.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 3 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6400, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6400, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\QuotationOrder.pdf.exe' , ParentImage: C:\Users\user\Desktop\QuotationOrder.pdf.exe, ParentProcessId: 6248, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6400

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6400, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6400, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7d9d1b37-9225-4679-a6f4-60db74de", "Group": "TBOSS1", "Domain1": "194.5.98.19", "Domain2": "tboss1.ddns.net", "Port": 53795, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\RLaczhWDn.exeReversingLabs: Detection: 12%
        Multi AV Scanner detection for submitted fileShow sources
        Source: QuotationOrder.pdf.exeReversingLabs: Detection: 12%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORY
        Source: Yara matchFile source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\RLaczhWDn.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: QuotationOrder.pdf.exeJoe Sandbox ML: detected
        Source: QuotationOrder.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: QuotationOrder.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: q.pdB source: QuotationOrder.pdf.exe, 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: tboss1.ddns.net
        Source: Malware configuration extractorURLs: 194.5.98.19
        Source: global trafficTCP traffic: 192.168.2.7:49705 -> 194.5.98.19:53795
        Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.8
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.19
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243492551.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49677
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
        Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
        Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
        Source: QuotationOrder.pdf.exe, 00000000.00000002.242937271.0000000001598000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORY
        Source: Yara matchFile source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: QuotationOrder.pdf.exe
        Source: initial sampleStatic PE information: Filename: QuotationOrder.pdf.exe
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_018199D80_2_018199D8
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_032649180_2_03264918
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_032641D00_2_032641D0
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_032660CD0_2_032660CD
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_032677170_2_03267717
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_03264FD00_2_03264FD0
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_03263E280_2_03263E28
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_03265E780_2_03265E78
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_03265A610_2_03265A61
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_03265A700_2_03265A70
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_032661340_2_03266134
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_032649080_2_03264908
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_032641C20_2_032641C2
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_032600060_2_03260006
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_032678430_2_03267843
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_032600400_2_03260040
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_03264FC00_2_03264FC0
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_03263E180_2_03263E18
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_03265E680_2_03265E68
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_03263C500_2_03263C50
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_0588DAB00_2_0588DAB0
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_0588B7600_2_0588B760
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_0588B7700_2_0588B770
        Source: QuotationOrder.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: RLaczhWDn.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: QuotationOrder.pdf.exe, 00000000.00000002.247694872.000000000C1E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs QuotationOrder.pdf.exe
        Source: QuotationOrder.pdf.exe, 00000000.00000003.233367638.0000000001642000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWaitHandle.exeP vs QuotationOrder.pdf.exe
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs QuotationOrder.pdf.exe
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243492551.00000000033B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs QuotationOrder.pdf.exe
        Source: QuotationOrder.pdf.exe, 00000000.00000002.247916879.000000000C2E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs QuotationOrder.pdf.exe
        Source: QuotationOrder.pdf.exe, 00000000.00000002.247916879.000000000C2E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs QuotationOrder.pdf.exe
        Source: QuotationOrder.pdf.exeBinary or memory string: OriginalFilenameWaitHandle.exeP vs QuotationOrder.pdf.exe
        Source: QuotationOrder.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: QuotationOrder.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: RLaczhWDn.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeFile created: C:\Users\user\AppData\Roaming\RLaczhWDn.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{7d9d1b37-9225-4679-a6f4-60db74de0410}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_01
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\LKKjbTstsW
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAF14.tmpJump to behavior
        Source: QuotationOrder.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
        Source: QuotationOrder.pdf.exeReversingLabs: Detection: 12%
        Source: QuotationOrder.pdf.exeString found in binary or memory: ^(Male|Female)$-Add Student Details :-
        Source: QuotationOrder.pdf.exeString found in binary or memory: Teacher Name-Add Teacher Details :-
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeFile read: C:\Users\user\Desktop\QuotationOrder.pdf.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\QuotationOrder.pdf.exe 'C:\Users\user\Desktop\QuotationOrder.pdf.exe'
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RLaczhWDn' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF14.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RLaczhWDn' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF14.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: QuotationOrder.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: QuotationOrder.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: q.pdB source: QuotationOrder.pdf.exe, 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_03263380 push ebx; retf 0_2_03263388
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_03263922 push ebx; iretd 0_2_03263924
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeCode function: 0_2_03263918 push ebx; iretd 0_2_0326391A
        Source: initial sampleStatic PE information: section name: .text entropy: 7.65733353837
        Source: initial sampleStatic PE information: section name: .text entropy: 7.65733353837
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeFile created: C:\Users\user\AppData\Roaming\RLaczhWDn.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RLaczhWDn' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF14.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Uses an obfuscated file name to hide its real file extension (double extension)Show sources
        Source: Possible double extension: pdf.exeStatic PE information: QuotationOrder.pdf.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4920Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4766Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 739Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 626Jump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe TID: 6252Thread sleep time: -104892s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exe TID: 6408Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6496Thread sleep time: -18446744073709540s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeThread delayed: delay time: 104892Jump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: MSBuild.exe, 00000003.00000003.290304771.0000000001437000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3cP
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000Jump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000Jump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F3A008Jump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RLaczhWDn' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF14.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeQueries volume information: C:\Users\user\Desktop\QuotationOrder.pdf.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\QuotationOrder.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORY
        Source: Yara matchFile source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: QuotationOrder.pdf.exe, 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: MSBuild.exe, 00000003.00000003.264054732.000000000145D000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: QuotationOrder.pdf.exe PID: 6248, type: MEMORY
        Source: Yara matchFile source: 0.2.QuotationOrder.pdf.exe.446ded8.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.QuotationOrder.pdf.exe.446ded8.3.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection311Masquerading11Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsScheduled Task/Job1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection311NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information12LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        QuotationOrder.pdf.exe13%ReversingLabsWin32.Trojan.Wacatac
        QuotationOrder.pdf.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\RLaczhWDn.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\RLaczhWDn.exe13%ReversingLabsWin32.Trojan.Wacatac

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        tboss1.ddns.net0%Avira URL Cloudsafe
        194.5.98.190%VirustotalBrowse
        194.5.98.190%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        tboss1.ddns.nettrue
        • Avira URL Cloud: safe
        unknown
        194.5.98.19true
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQuotationOrder.pdf.exe, 00000000.00000002.243492551.00000000033B1000.00000004.00000001.sdmpfalse
          high
          https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssQuotationOrder.pdf.exe, 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmpfalse
            high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            194.5.98.19
            unknownNetherlands
            208476DANILENKODEtrue

            General Information

            Joe Sandbox Version:32.0.0 Black Diamond
            Analysis ID:412361
            Start date:12.05.2021
            Start time:16:37:08
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 8m 9s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:QuotationOrder.pdf.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:30
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@6/8@0/1
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 99%
            • Number of executed functions: 47
            • Number of non-executed functions: 9
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.82.209.183, 104.43.139.144, 40.88.32.150, 92.122.145.220, 184.30.20.56, 2.20.143.16, 2.20.142.209, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247
            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            16:37:58API Interceptor2x Sleep call for process: QuotationOrder.pdf.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            194.5.98.19http://saggepaylive.co/Receipt of BACS payment 20092018.jarGet hashmaliciousBrowse
              https://fellasconstrltd.co.ukGet hashmaliciousBrowse
                https://www.aeroart.com.au/wp-admin/remittance.jarGet hashmaliciousBrowse
                  remittance.jarGet hashmaliciousBrowse

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    DANILENKODEQuotation.jarGet hashmaliciousBrowse
                    • 194.5.98.38
                    Quotation.jarGet hashmaliciousBrowse
                    • 194.5.98.38
                    47755769_by_Libranalysis.exeGet hashmaliciousBrowse
                    • 194.5.98.210
                    Contract_kyrgyzstan_pdf.exeGet hashmaliciousBrowse
                    • 194.5.98.203
                    y3t4g48gj6_PAYMENT.exeGet hashmaliciousBrowse
                    • 194.5.97.75
                    y3t4g48gj6_PAYMENT.exeGet hashmaliciousBrowse
                    • 194.5.97.75
                    Quotation.jarGet hashmaliciousBrowse
                    • 194.5.98.38
                    5lQuLT5Zu8.exeGet hashmaliciousBrowse
                    • 194.5.97.116
                    IPUt7Nr2CH.exeGet hashmaliciousBrowse
                    • 194.5.97.75
                    Passport_ID_jpg.jarGet hashmaliciousBrowse
                    • 194.5.98.228
                    Vd80r7R7K5.exeGet hashmaliciousBrowse
                    • 194.5.98.208
                    noVPhNP46G.exeGet hashmaliciousBrowse
                    • 194.5.98.208
                    LQ0dDP64uk.exeGet hashmaliciousBrowse
                    • 194.5.98.208
                    SCAN_DOCX-36673672.exeGet hashmaliciousBrowse
                    • 194.5.97.11
                    4b092c1e_by_Libranalysis.docxGet hashmaliciousBrowse
                    • 194.5.98.208
                    QW8lWJDpU8.exeGet hashmaliciousBrowse
                    • 194.5.98.5
                    2a8f04dd_by_Libranalysis.docmGet hashmaliciousBrowse
                    • 194.5.98.210
                    Invoice_orderYscFwfO1peuGl0w.exeGet hashmaliciousBrowse
                    • 194.5.98.250
                    Quotation.jarGet hashmaliciousBrowse
                    • 194.5.97.87
                    Quotation.jarGet hashmaliciousBrowse
                    • 194.5.97.87

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QuotationOrder.pdf.exe.log
                    Process:C:\Users\user\Desktop\QuotationOrder.pdf.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:modified
                    Size (bytes):1314
                    Entropy (8bit):5.350128552078965
                    Encrypted:false
                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                    C:\Users\user\AppData\Local\Temp\tmpAF14.tmp
                    Process:C:\Users\user\Desktop\QuotationOrder.pdf.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1658
                    Entropy (8bit):5.172758791574188
                    Encrypted:false
                    SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBIItn:cbhH7MlNQ8/rydbz9I3YODOLNdq3Cu
                    MD5:B79D81932ABEC23FDC88F5174005E22B
                    SHA1:8AD532699EFB3ABDB0C9C8CE6AB813D3A8E61A43
                    SHA-256:AAD7A31CC58EE7586719F33F84442BC343F68268E17B57F9925819FE2C5C954D
                    SHA-512:2D5FEB2DFB7A5F739781017063E37FC36FC1FA1B9CD0938B5207D7A4D2621F9DD14D2EC9A1EDB6FE106CC7309075621133C8DB4A49A8AA4B2E4497D61FD6C5EA
                    Malicious:true
                    Reputation:low
                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):232
                    Entropy (8bit):7.024371743172393
                    Encrypted:false
                    SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                    MD5:32D0AAE13696FF7F8AF33B2D22451028
                    SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                    SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                    SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):8
                    Entropy (8bit):3.0
                    Encrypted:false
                    SSDEEP:3:f:f
                    MD5:98FFEE1BE6A389DA995E26874A8902A7
                    SHA1:6A9A6943232179F45B37AB51E3424DAB9F229281
                    SHA-256:0D6B2577E2F9D323C9632D28ED41AC91DBBE5FC476A0FAAADEA9BDA4685EF368
                    SHA-512:8ED324A779482DD98B6D35C4873D0C2421E034BC53A6E8AC7301ED35C27A3A49D6E5DCFF65EE966300E29F29FA55B1A778C44D6D2BE0F3388E308390EF5CF753
                    Malicious:true
                    Reputation:low
                    Preview: .:.....H
                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):40
                    Entropy (8bit):5.153055907333276
                    Encrypted:false
                    SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                    MD5:4E5E92E2369688041CC82EF9650EDED2
                    SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                    SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                    SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):327432
                    Entropy (8bit):7.99938831605763
                    Encrypted:true
                    SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                    MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                    SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                    SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                    SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                    Malicious:false
                    Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                    C:\Users\user\AppData\Roaming\RLaczhWDn.exe
                    Process:C:\Users\user\Desktop\QuotationOrder.pdf.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):850944
                    Entropy (8bit):7.33046471356557
                    Encrypted:false
                    SSDEEP:24576:CHqaISNYHhszddtBr+8qqbGdxP9rm0JU0:2vZuAddtyi8P/
                    MD5:14E431BCB3FDB77CD13912A5CBEF9E40
                    SHA1:717C23D8BD639B9E22E2DE994EF8EF87F575B48C
                    SHA-256:378932D5FC866BFE3AE59ABE125E21DA19AE9FD819976FD1FDD73F8FCE110B7E
                    SHA-512:2E8A8B5117F1680C30A3F8234BA2944BE4543F94EA7753720087C839F45901296ACD2072A3EBBC18292882015ABF8790B86B000FEAECAFB3452E074713927671
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 13%
                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`..............P..L...........k... ........@.. .......................`............@..................................k..O.......<....................@....................................................... ............... ..H............text....K... ...L.................. ..`.rsrc...<............N..............@..@.reloc.......@......................@..B.................k......H...........8...........0...X............................................0............( ...(!.........(.....o"....*.....................(#......($......(%......(&......('....*N..(....oS...((....*&..()....*.s*........s+........s,........s-........s.........*....0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0..<........~.....(4.....,!r...p.....(5...o6...s7............~.....+..*.0......
                    C:\Users\user\AppData\Roaming\RLaczhWDn.exe:Zone.Identifier
                    Process:C:\Users\user\Desktop\QuotationOrder.pdf.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:true
                    Preview: [ZoneTransfer]....ZoneId=0

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.33046471356557
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    • Win32 Executable (generic) a (10002005/4) 49.78%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    File name:QuotationOrder.pdf.exe
                    File size:850944
                    MD5:14e431bcb3fdb77cd13912a5cbef9e40
                    SHA1:717c23d8bd639b9e22e2de994ef8ef87f575b48c
                    SHA256:378932d5fc866bfe3ae59abe125e21da19ae9fd819976fd1fdd73f8fce110b7e
                    SHA512:2e8a8b5117f1680c30a3f8234ba2944be4543f94ea7753720087c839f45901296acd2072a3ebbc18292882015abf8790b86b000feaecafb3452e074713927671
                    SSDEEP:24576:CHqaISNYHhszddtBr+8qqbGdxP9rm0JU0:2vZuAddtyi8P/
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..L...........k... ........@.. .......................`............@................................

                    File Icon

                    Icon Hash:cc92316d713396e8

                    Static PE Info

                    General

                    Entrypoint:0x4b6bda
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x609BD296 [Wed May 12 13:05:26 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:v4.0.30319
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb6b880x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x1ab3c.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000xb4be00xb4c00False0.811643650588data7.65733353837IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rsrc0xb80000x1ab3c0x1ac00False0.145973276869data3.15479172029IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0xd40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0xb82200x468GLS_BINARY_LSB_FIRST
                    RT_ICON0xb86880x162aPNG image data, 256 x 256, 8-bit colormap, non-interlaced
                    RT_ICON0xb9cb40x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                    RT_ICON0xbc25c0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                    RT_ICON0xbd3040x10828dBase III DBT, version number 0, next free block index 40
                    RT_ICON0xcdb2c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                    RT_GROUP_ICON0xd1d540x5adata
                    RT_VERSION0xd1db00x35cdata
                    RT_MANIFEST0xd210c0xa2eXML 1.0 document, UTF-8 Unicode (with BOM) text

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Version Infos

                    DescriptionData
                    Translation0x0000 0x04b0
                    LegalCopyrightCopyright 2020
                    Assembly Version1.0.0.0
                    InternalNameWaitHandle.exe
                    FileVersion1.0.0.0
                    CompanyName
                    LegalTrademarks
                    Comments
                    ProductNameLibraryManagementSystem
                    ProductVersion1.0.0.0
                    FileDescriptionLibraryManagementSystem
                    OriginalFilenameWaitHandle.exe

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 12, 2021 16:37:49.402602911 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.402625084 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.402640104 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.402653933 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.402666092 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.402678967 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.402692080 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.402704954 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.402720928 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.402798891 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.406750917 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.406775951 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.437081099 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.437128067 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.446013927 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.484226942 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.484262943 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.558038950 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.558084965 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.558279991 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.572079897 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.572144985 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.626034021 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.628714085 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.637880087 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.637937069 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.637986898 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.638031960 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.638073921 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.638114929 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.638154030 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.638170004 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.638189077 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.638194084 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.638233900 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.638350010 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.638359070 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.793132067 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.793154955 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.793168068 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.793185949 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.793205976 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.793225050 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.793241024 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.793256998 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.793276072 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.793291092 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.793385983 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.859034061 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.859078884 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.860367060 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.860460043 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:37:49.906537056 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.906565905 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.913742065 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.913774014 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:49.948044062 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.065779924 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.065824986 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.065845013 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.065871000 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.065895081 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.065918922 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.065943003 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.065967083 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.065989971 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.066137075 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:37:50.066188097 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:37:50.069802999 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.069839001 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.069864988 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.069890022 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.069915056 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.069942951 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.069960117 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:37:50.069969893 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.069998026 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.070005894 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:37:50.070022106 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:37:50.070054054 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:37:50.125252962 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:38:04.338349104 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:04.625350952 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:04.626024008 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:04.663634062 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:05.025593996 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:05.025703907 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:05.673342943 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:05.673434973 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:06.131752968 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:06.208240986 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:06.847779989 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:06.854868889 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:06.857724905 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:07.400722980 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:07.450665951 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:07.450900078 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:07.463649035 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:07.492629051 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:07.493413925 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:07.739763021 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:07.751951933 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:07.752135992 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:07.755971909 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:07.764638901 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:07.764889002 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:08.097527981 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:08.128065109 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:08.128221035 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:08.129622936 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:08.145663977 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:08.145872116 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:08.171880960 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:08.171936989 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:08.172235966 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:08.176664114 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:08.220508099 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:08.232836962 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:08.242656946 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:08.243248940 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:08.251808882 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:08.279628992 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:08.280376911 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:08.292975903 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:08.423888922 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:09.006711960 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:09.011135101 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:09.372493029 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:09.407705069 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:09.408442020 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:09.433595896 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:09.436594009 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:09.436672926 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:09.595778942 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:09.609738111 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:09.609894037 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:09.619626045 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:09.650665045 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:09.650835037 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:09.706665039 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:09.973604918 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:09.973706007 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:09.980196953 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:09.980330944 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.014605045 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.016738892 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.039973974 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.040117979 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.046617031 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.047018051 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.055536032 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.055716991 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.074594975 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.074723005 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.076564074 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.076661110 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.081573009 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.081691027 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.098867893 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.099073887 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.100615025 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.101222992 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.120569944 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.121418953 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.132615089 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.132822990 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.150716066 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.150945902 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.163585901 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.163851023 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.172589064 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.172816038 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.178622007 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.178843975 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.207676888 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.207767963 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.251513004 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.256606102 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.256685019 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.295640945 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.309611082 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.309683084 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.327541113 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.332545042 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.332614899 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.436672926 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.450756073 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.450958967 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.741102934 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.776336908 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.776591063 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.786755085 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.802808046 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.803085089 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.842688084 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.856663942 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.856735945 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.861567974 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.871627092 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.872004032 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.894612074 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.900692940 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.900871992 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.979115009 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.979147911 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:10.979583025 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:10.984095097 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.013638020 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.013988972 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.025639057 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.035691023 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.035923958 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.041553974 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.053637028 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.053792000 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.080732107 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.100615978 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.100737095 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.119860888 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.133194923 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.133352041 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.146325111 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.166665077 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.166814089 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.181699991 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.193701982 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.194067001 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.202632904 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.209023952 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.213419914 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.218075991 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.249540091 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.250489950 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.259670973 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.267808914 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.268197060 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.269575119 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.285049915 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.285211086 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.291554928 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.298882961 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.299113035 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.343622923 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.351377010 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.351763964 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.359811068 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.369476080 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.369544029 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.375993967 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.417715073 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.422369003 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.431654930 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.437644958 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.437764883 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.586565971 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.590687990 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.594636917 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.601759911 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.606967926 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.610591888 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.655680895 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.663146973 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.663208008 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.663259029 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.672672987 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.672743082 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.676774025 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.691030025 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.691092014 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.694617033 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.705123901 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.705517054 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.724613905 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.743019104 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.743043900 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.743110895 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.754661083 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.754793882 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.757519960 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.771531105 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.772175074 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.776948929 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.802593946 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.802674055 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.811579943 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.829694033 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.829719067 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.829830885 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.839771032 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.839986086 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.845757008 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.852734089 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.853085995 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.865679979 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.888951063 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.889044046 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.913197041 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.914764881 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.914866924 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.923505068 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.936691999 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.936845064 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.969038010 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.974811077 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.978499889 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.988651991 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.992690086 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:11.996710062 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:11.999617100 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.088689089 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.088828087 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.122699976 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.137614012 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.137738943 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.141798973 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.163109064 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.163186073 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.166626930 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.171634912 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.171747923 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.196770906 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.241681099 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.241755009 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.257770061 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.280780077 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.280905962 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.312726974 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.316740990 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.316849947 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.478684902 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.491632938 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.491750956 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.505001068 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.525680065 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.525772095 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.542629957 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.542665005 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.542709112 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.555732965 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.562658072 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.562741041 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.583820105 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.583878994 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.583992958 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.610594034 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.613792896 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.613920927 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.632647991 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.637991905 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.638112068 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.652704000 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.680798054 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.680960894 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.691591978 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.710690022 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.710728884 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.710844040 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.715617895 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.715687037 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.715734959 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.729587078 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.729713917 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.735755920 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.768687963 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.768781900 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.773917913 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.784729004 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.784792900 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.785953045 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.791517973 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.791649103 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.805674076 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.807971954 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.808094978 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.820615053 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.847552061 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.847692013 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.851644993 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.864664078 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.864777088 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.875657082 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.876568079 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.876703024 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.890696049 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.917743921 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.917898893 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.931793928 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.935805082 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.935921907 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.954691887 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.958662987 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.958795071 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:12.961955070 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.973828077 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:12.973982096 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.090270042 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.090707064 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.090799093 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.103852987 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.109622955 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.109704971 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.123642921 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.127593040 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.127857924 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.283752918 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.294858932 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.294971943 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.325651884 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.338660002 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.338746071 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.343643904 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.354726076 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.354835987 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.359752893 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.373084068 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.373171091 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.379837990 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.399616003 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.399724007 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.413583994 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.413608074 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.413676977 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.433866978 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.433907032 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.434048891 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.445769072 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.456106901 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.456134081 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.456199884 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.481019020 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.481112957 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.491758108 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.540715933 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.541639090 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.571610928 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.576576948 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.576661110 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.588797092 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.602708101 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.602799892 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.606673956 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.615675926 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.615760088 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.657303095 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.657329082 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.657437086 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.673166037 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.682965040 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.683113098 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.697312117 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.720880985 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.721014023 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.745939016 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.759016037 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.759133101 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.759160042 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.771719933 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.771888018 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.773698092 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.807638884 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.807715893 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.811821938 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.813612938 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.813682079 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.819772959 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.830723047 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.830801010 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.837641001 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.850955009 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.851111889 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.904652119 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.905010939 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.905113935 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.916804075 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.916851997 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.916985989 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.922853947 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.932256937 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.932432890 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.974764109 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.981705904 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.981798887 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:13.985629082 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.997589111 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:13.997775078 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:14.003582001 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.007739067 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.007899046 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:14.017694950 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.040873051 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.041038036 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:14.053625107 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.059063911 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.059257030 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:14.064678907 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.070688963 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.070852995 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:14.076594114 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.093620062 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.093652010 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.093820095 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:14.103110075 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.103267908 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:14.107352018 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.131546021 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.131664038 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:14.133881092 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.138600111 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.138708115 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:14.155576944 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.161971092 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.162070036 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:14.169728994 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.173657894 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.173803091 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:14.265741110 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.266835928 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:14.266952991 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:14.899512053 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:15.112088919 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:15.218045950 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:15.759660959 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:15.759782076 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:16.096093893 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:16.096241951 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:16.582626104 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:16.582720041 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:16.865730047 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:16.868232012 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:17.353594065 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:17.358441114 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:17.825570107 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:17.826158047 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:18.641361952 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:19.892663002 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:20.112103939 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:21.461183071 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:21.925512075 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:23.120809078 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:23.221704960 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:24.887510061 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:25.112499952 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:26.457568884 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:26.931703091 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:29.887470007 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:30.114451885 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:31.174500942 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:31.238009930 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:31.768466949 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:32.241482973 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:34.887865067 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:35.113310099 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:37.676609993 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:38.133563995 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:39.289515972 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:39.426191092 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:39.885560989 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:39.926248074 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:43.676994085 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:44.133172989 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:44.881907940 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:44.926567078 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:46.371431112 CEST804968093.184.220.29192.168.2.7
                    May 12, 2021 16:38:46.375610113 CEST4968080192.168.2.793.184.220.29
                    May 12, 2021 16:38:46.600255966 CEST804968193.184.220.29192.168.2.7
                    May 12, 2021 16:38:46.600369930 CEST4968180192.168.2.793.184.220.29
                    May 12, 2021 16:38:47.415544987 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:47.614342928 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:49.693450928 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:49.889486074 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:50.114552021 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:50.145490885 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:54.885474920 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:54.927406073 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:55.514658928 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:55.568082094 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:55.678380966 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:38:56.139796019 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:59.885540962 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:38:59.927906990 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:01.701428890 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:02.196454048 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:03.643691063 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:03.772361994 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:04.885782003 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:04.928244114 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:06.772947073 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:07.236229897 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:09.885519028 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:09.944257021 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:11.739381075 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:11.788131952 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:11.804467916 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:12.285423994 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:14.885327101 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:14.928997040 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:16.960710049 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:17.413247108 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:19.851270914 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:19.898145914 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:20.151813030 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:20.195105076 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:22.870280981 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:23.339566946 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:24.885313988 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:24.929783106 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:27.967246056 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:28.023785114 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:28.888118982 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:29.345407009 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:29.895376921 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:29.945848942 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:34.884068012 CEST4968080192.168.2.793.184.220.29
                    May 12, 2021 16:39:34.884202957 CEST49677443192.168.2.720.190.160.8
                    May 12, 2021 16:39:34.895396948 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:34.919384956 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:34.924813986 CEST804968093.184.220.29192.168.2.7
                    May 12, 2021 16:39:34.924958944 CEST4968080192.168.2.793.184.220.29
                    May 12, 2021 16:39:34.931226969 CEST4434967720.190.160.8192.168.2.7
                    May 12, 2021 16:39:34.933553934 CEST49677443192.168.2.720.190.160.8
                    May 12, 2021 16:39:34.961900949 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:35.355298996 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:35.759865999 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:39:35.759968996 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:39:35.806931973 CEST4434968320.190.160.8192.168.2.7
                    May 12, 2021 16:39:35.807039976 CEST49683443192.168.2.720.190.160.8
                    May 12, 2021 16:39:35.813493013 CEST4434968620.190.160.8192.168.2.7
                    May 12, 2021 16:39:35.813740015 CEST49686443192.168.2.720.190.160.8
                    May 12, 2021 16:39:36.066642046 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:36.118362904 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:39.869149923 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:39.891330004 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:39.946768999 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:40.359427929 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:44.205333948 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:44.259659052 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:44.893661976 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:44.947021961 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:45.885221958 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:46.357187986 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:48.039977074 CEST804968193.184.220.29192.168.2.7
                    May 12, 2021 16:39:48.040072918 CEST4968180192.168.2.793.184.220.29
                    May 12, 2021 16:39:49.891261101 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:49.931780100 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:50.962851048 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:51.420116901 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:52.309222937 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:52.353910923 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:54.891500950 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:54.932302952 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:56.276943922 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:39:56.756548882 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:59.899682999 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:39:59.948277950 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:40:00.413475990 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:40:00.463999033 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:40:00.464238882 CEST804968193.184.220.29192.168.2.7
                    May 12, 2021 16:40:00.464397907 CEST4968180192.168.2.793.184.220.29
                    May 12, 2021 16:40:01.277403116 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:40:01.753525019 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:40:04.888725042 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:40:04.933907986 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:40:06.292942047 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:40:06.756129026 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:40:08.525197983 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:40:08.574040890 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:40:09.885150909 CEST5379549705194.5.98.19192.168.2.7
                    May 12, 2021 16:40:09.933422089 CEST4970553795192.168.2.7194.5.98.19
                    May 12, 2021 16:40:11.748584986 CEST4970553795192.168.2.7194.5.98.19

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 12, 2021 16:37:50.136571884 CEST5782053192.168.2.78.8.8.8
                    May 12, 2021 16:37:50.197191000 CEST53578208.8.8.8192.168.2.7
                    May 12, 2021 16:37:50.305509090 CEST5084853192.168.2.78.8.8.8
                    May 12, 2021 16:37:50.364871979 CEST53508488.8.8.8192.168.2.7
                    May 12, 2021 16:37:50.436470032 CEST6124253192.168.2.78.8.8.8
                    May 12, 2021 16:37:50.496620893 CEST53612428.8.8.8192.168.2.7
                    May 12, 2021 16:37:51.380249977 CEST5856253192.168.2.78.8.8.8
                    May 12, 2021 16:37:51.430921078 CEST53585628.8.8.8192.168.2.7
                    May 12, 2021 16:37:52.520164967 CEST5659053192.168.2.78.8.8.8
                    May 12, 2021 16:37:52.578984022 CEST53565908.8.8.8192.168.2.7
                    May 12, 2021 16:37:53.069900036 CEST6050153192.168.2.78.8.8.8
                    May 12, 2021 16:37:53.121454954 CEST53605018.8.8.8192.168.2.7
                    May 12, 2021 16:37:55.749366999 CEST5377553192.168.2.78.8.8.8
                    May 12, 2021 16:37:55.802941084 CEST53537758.8.8.8192.168.2.7
                    May 12, 2021 16:37:56.546875954 CEST5183753192.168.2.78.8.8.8
                    May 12, 2021 16:37:56.598454952 CEST53518378.8.8.8192.168.2.7
                    May 12, 2021 16:37:57.524034977 CEST5541153192.168.2.78.8.8.8
                    May 12, 2021 16:37:57.572818995 CEST53554118.8.8.8192.168.2.7
                    May 12, 2021 16:37:59.112962961 CEST6366853192.168.2.78.8.8.8
                    May 12, 2021 16:37:59.161858082 CEST53636688.8.8.8192.168.2.7
                    May 12, 2021 16:38:00.298413992 CEST5464053192.168.2.78.8.8.8
                    May 12, 2021 16:38:00.347196102 CEST53546408.8.8.8192.168.2.7
                    May 12, 2021 16:38:01.534859896 CEST5873953192.168.2.78.8.8.8
                    May 12, 2021 16:38:01.586709976 CEST53587398.8.8.8192.168.2.7
                    May 12, 2021 16:38:02.570036888 CEST6033853192.168.2.78.8.8.8
                    May 12, 2021 16:38:02.620176077 CEST53603388.8.8.8192.168.2.7
                    May 12, 2021 16:38:03.501022100 CEST5871753192.168.2.78.8.8.8
                    May 12, 2021 16:38:03.550889015 CEST53587178.8.8.8192.168.2.7
                    May 12, 2021 16:38:04.529175997 CEST5976253192.168.2.78.8.8.8
                    May 12, 2021 16:38:04.580795050 CEST53597628.8.8.8192.168.2.7
                    May 12, 2021 16:38:05.407155037 CEST5432953192.168.2.78.8.8.8
                    May 12, 2021 16:38:05.456099987 CEST53543298.8.8.8192.168.2.7
                    May 12, 2021 16:38:06.186273098 CEST5805253192.168.2.78.8.8.8
                    May 12, 2021 16:38:06.237843037 CEST53580528.8.8.8192.168.2.7
                    May 12, 2021 16:38:07.044519901 CEST5400853192.168.2.78.8.8.8
                    May 12, 2021 16:38:07.093291998 CEST53540088.8.8.8192.168.2.7
                    May 12, 2021 16:38:07.847956896 CEST5945153192.168.2.78.8.8.8
                    May 12, 2021 16:38:07.896676064 CEST53594518.8.8.8192.168.2.7
                    May 12, 2021 16:38:08.874038935 CEST5291453192.168.2.78.8.8.8
                    May 12, 2021 16:38:08.923909903 CEST53529148.8.8.8192.168.2.7
                    May 12, 2021 16:38:09.832998991 CEST6456953192.168.2.78.8.8.8
                    May 12, 2021 16:38:09.881685972 CEST53645698.8.8.8192.168.2.7
                    May 12, 2021 16:38:10.754215002 CEST5281653192.168.2.78.8.8.8
                    May 12, 2021 16:38:10.803047895 CEST53528168.8.8.8192.168.2.7
                    May 12, 2021 16:38:13.429421902 CEST5078153192.168.2.78.8.8.8
                    May 12, 2021 16:38:13.478338003 CEST53507818.8.8.8192.168.2.7
                    May 12, 2021 16:38:15.326056004 CEST5423053192.168.2.78.8.8.8
                    May 12, 2021 16:38:15.375394106 CEST53542308.8.8.8192.168.2.7
                    May 12, 2021 16:38:15.911966085 CEST5491153192.168.2.78.8.8.8
                    May 12, 2021 16:38:15.971407890 CEST53549118.8.8.8192.168.2.7
                    May 12, 2021 16:38:34.968208075 CEST4995853192.168.2.78.8.8.8
                    May 12, 2021 16:38:35.025798082 CEST53499588.8.8.8192.168.2.7
                    May 12, 2021 16:38:46.392949104 CEST5086053192.168.2.78.8.8.8
                    May 12, 2021 16:38:46.450272083 CEST53508608.8.8.8192.168.2.7
                    May 12, 2021 16:38:46.549272060 CEST5045253192.168.2.78.8.8.8
                    May 12, 2021 16:38:46.606832027 CEST53504528.8.8.8192.168.2.7
                    May 12, 2021 16:39:01.538760900 CEST5973053192.168.2.78.8.8.8
                    May 12, 2021 16:39:01.595906973 CEST53597308.8.8.8192.168.2.7
                    May 12, 2021 16:39:02.271943092 CEST5931053192.168.2.78.8.8.8
                    May 12, 2021 16:39:02.332194090 CEST53593108.8.8.8192.168.2.7
                    May 12, 2021 16:39:02.778215885 CEST5191953192.168.2.78.8.8.8
                    May 12, 2021 16:39:02.851145029 CEST53519198.8.8.8192.168.2.7
                    May 12, 2021 16:39:02.960926056 CEST6429653192.168.2.78.8.8.8
                    May 12, 2021 16:39:03.020271063 CEST53642968.8.8.8192.168.2.7
                    May 12, 2021 16:39:03.496707916 CEST5668053192.168.2.78.8.8.8
                    May 12, 2021 16:39:03.546567917 CEST53566808.8.8.8192.168.2.7
                    May 12, 2021 16:39:04.136363029 CEST5882053192.168.2.78.8.8.8
                    May 12, 2021 16:39:04.196341991 CEST53588208.8.8.8192.168.2.7
                    May 12, 2021 16:39:05.036043882 CEST6098353192.168.2.78.8.8.8
                    May 12, 2021 16:39:05.084620953 CEST53609838.8.8.8192.168.2.7
                    May 12, 2021 16:39:05.593821049 CEST4924753192.168.2.78.8.8.8
                    May 12, 2021 16:39:05.642579079 CEST53492478.8.8.8192.168.2.7
                    May 12, 2021 16:39:06.537549973 CEST5228653192.168.2.78.8.8.8
                    May 12, 2021 16:39:06.597774029 CEST53522868.8.8.8192.168.2.7
                    May 12, 2021 16:39:07.591264963 CEST5606453192.168.2.78.8.8.8
                    May 12, 2021 16:39:07.644853115 CEST53560648.8.8.8192.168.2.7
                    May 12, 2021 16:39:08.113748074 CEST6374453192.168.2.78.8.8.8
                    May 12, 2021 16:39:08.174438953 CEST53637448.8.8.8192.168.2.7
                    May 12, 2021 16:39:19.232753038 CEST6145753192.168.2.78.8.8.8
                    May 12, 2021 16:39:19.293617964 CEST53614578.8.8.8192.168.2.7
                    May 12, 2021 16:39:47.435106039 CEST5836753192.168.2.78.8.8.8
                    May 12, 2021 16:39:47.515708923 CEST53583678.8.8.8192.168.2.7
                    May 12, 2021 16:39:48.874694109 CEST6059953192.168.2.78.8.8.8
                    May 12, 2021 16:39:48.931833029 CEST53605998.8.8.8192.168.2.7

                    Code Manipulations

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Start time:16:37:56
                    Start date:12/05/2021
                    Path:C:\Users\user\Desktop\QuotationOrder.pdf.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\Users\user\Desktop\QuotationOrder.pdf.exe'
                    Imagebase:0xf20000
                    File size:850944 bytes
                    MD5 hash:14E431BCB3FDB77CD13912A5CBEF9E40
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.243826185.00000000043B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, Author: Florian Roth
                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.243971939.0000000004508000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.243530638.00000000033F4000.00000004.00000001.sdmp, Author: Joe Security
                    Reputation:low

                    General

                    Start time:16:38:00
                    Start date:12/05/2021
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RLaczhWDn' /XML 'C:\Users\user\AppData\Local\Temp\tmpAF14.tmp'
                    Imagebase:0xef0000
                    File size:185856 bytes
                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:16:38:00
                    Start date:12/05/2021
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff774ee0000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:16:38:01
                    Start date:12/05/2021
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    Imagebase:0xd20000
                    File size:261728 bytes
                    MD5 hash:D621FD77BD585874F9686D3A76462EF1
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Reputation:moderate

                    Disassembly

                    Code Analysis

                    Reset < >

                      Executed Functions

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.245050639.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: D0<l$D0<l$D0<l
                      • API String ID: 0-2791425553
                      • Opcode ID: b8aee559ef305e4d8df3f51fe17e0bdf60da332a74092a57e311f1a3936a9590
                      • Instruction ID: 01e9017ebaa279d13aaa8a6c4fa50affd24a84802345ef6f132dc7597ed2e736
                      • Opcode Fuzzy Hash: b8aee559ef305e4d8df3f51fe17e0bdf60da332a74092a57e311f1a3936a9590
                      • Instruction Fuzzy Hash: 84726C70A041199FDB14EF65C884ABEBBB6FF88304F148169E906EB391DB34ED45CB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: #mX$'jT
                      • API String ID: 0-2170581488
                      • Opcode ID: 12cbb16f5b5acce14f21e54b433b1614ad6eadcab271884895f99c185ccf71a5
                      • Instruction ID: 8f7e49ef4fbedba4f556364b8c179e71f50486a9eeba6a82582c19f3370a6fdf
                      • Opcode Fuzzy Hash: 12cbb16f5b5acce14f21e54b433b1614ad6eadcab271884895f99c185ccf71a5
                      • Instruction Fuzzy Hash: 76A12670E29209DBDB04CFA9E5805AEFBF6FF89314F14A52AD006A7258D7749981CF14
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: >"8$^$x
                      • API String ID: 0-3244135881
                      • Opcode ID: f679bae348c980ab4e42c0103a40633ffab08c1735acb5c7a0193636e88ba2ea
                      • Instruction ID: abcc6b27e411c1ff63c1ff9d7c49873634b0df0302d428cea9605fcaf55b7be7
                      • Opcode Fuzzy Hash: f679bae348c980ab4e42c0103a40633ffab08c1735acb5c7a0193636e88ba2ea
                      • Instruction Fuzzy Hash: A3516B30E25218DFCB08DFA6D9855DDFBF2BFCD201F24A52AD406B7214DB3499818B28
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: >"8$^$x
                      • API String ID: 0-3244135881
                      • Opcode ID: 1e2549373c684b9c003a3bb5291deb12dfa2c4505aa8fd1c54f57e39ec77d8dc
                      • Instruction ID: e7496e9784510c7247e3ccd4fede271bb12b0b24ad5ae5cec49454992688b767
                      • Opcode Fuzzy Hash: 1e2549373c684b9c003a3bb5291deb12dfa2c4505aa8fd1c54f57e39ec77d8dc
                      • Instruction Fuzzy Hash: 36517E30E25218DBCB08DFA6D9455DDFBF6FFCD200F64A52AD406B7254DB3499818B28
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: E[Nk
                      • API String ID: 0-1509780505
                      • Opcode ID: d697b87164b7f10fcf9e716156f4d929ec23c59accfbe7780e54af883235a982
                      • Instruction ID: 3682f48aac18cfbdb52462e4566ab0c1777f1e8eed446208037486a4d197a3d6
                      • Opcode Fuzzy Hash: d697b87164b7f10fcf9e716156f4d929ec23c59accfbe7780e54af883235a982
                      • Instruction Fuzzy Hash: 64418075E292098BCB08CFA5E9455DEFBF6FF8D210F04942AD606F3264D77498808B69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: E[Nk
                      • API String ID: 0-1509780505
                      • Opcode ID: fe52ffa62c08460e1a40dcbb970a0cedc74428b9ea7ac83e8ae898658f57cd06
                      • Instruction ID: 872fbdc31cdabeaa38e64f0acb3957a9d3022f8ad482cf3a5585b8854d239537
                      • Opcode Fuzzy Hash: fe52ffa62c08460e1a40dcbb970a0cedc74428b9ea7ac83e8ae898658f57cd06
                      • Instruction Fuzzy Hash: EF419F75E242198BCB08CFA5E9455DDFBF6BF8D210F04942AC506F32A8E73498808B69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a3de312bf34764518f8e37b4dbf8f8324913da9b1fc1d750a1aef7554f555efd
                      • Instruction ID: 122a6b817644432f778dd8ed2d1f69cccf0f9d343d85c52eb5faad3302ea4408
                      • Opcode Fuzzy Hash: a3de312bf34764518f8e37b4dbf8f8324913da9b1fc1d750a1aef7554f555efd
                      • Instruction Fuzzy Hash: F8D13630E662199FDB04DFA5D945B9DBBF2FF89300F209469E809BB294D770A9818B14
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ab6eb267e1e24366b6e99484df211c72c7e27044b56b25aa5a3ce9fbba0ad07f
                      • Instruction ID: 3afb9c7f757381c099443bb96d48bb49ebe1b97b6767c83619f296b0940c2b73
                      • Opcode Fuzzy Hash: ab6eb267e1e24366b6e99484df211c72c7e27044b56b25aa5a3ce9fbba0ad07f
                      • Instruction Fuzzy Hash: 5CC14730E662189FDB04CFA5D945B9DFBF2FF89300F209469E809BB394D770A9818B14
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f24562dddd78bc68a08823d245ae082fbe9af15851342e99016fcffb0d45aba0
                      • Instruction ID: 2d1cf0f89ded51e8662b16c154bc0cbbcf8020c5bf0862429af552eaecfedcc0
                      • Opcode Fuzzy Hash: f24562dddd78bc68a08823d245ae082fbe9af15851342e99016fcffb0d45aba0
                      • Instruction Fuzzy Hash: 76815771E24629CBDB24CF66D844B9DFBB6BF89300F14D5EAC509A7244EB709AC18F10
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e7647ac0270f7c31f368693009b779f908e30d17e49c78a3b09ce4bf62cc4ecc
                      • Instruction ID: bdf57fc0d8bd4fe27f2678b262f854c70be445aca52bde3c3b2bd18dea85bbe2
                      • Opcode Fuzzy Hash: e7647ac0270f7c31f368693009b779f908e30d17e49c78a3b09ce4bf62cc4ecc
                      • Instruction Fuzzy Hash: 79814871E1062ACBDB28CF66CC44B9DFBB6AF89300F14C5EAD509A7254EB705AC18F50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 14eb0da38faf3fbeb4a4ac7896cdd2ffadab49d163a344f02cf2a4680ed23779
                      • Instruction ID: 955a6a57c95d3568aeccf9ada7b32fff3cb1f1a6c9778de21a0e6810e55a8bd5
                      • Opcode Fuzzy Hash: 14eb0da38faf3fbeb4a4ac7896cdd2ffadab49d163a344f02cf2a4680ed23779
                      • Instruction Fuzzy Hash: AA811674E116189FCB44DFE5D8896AEBBB2FF89300F20846AD815BB354DB74A942CF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0bf5f1633235372da9f5ce9bd89d6690b8d66b8ac8025599397c93c78b360182
                      • Instruction ID: 117b9a03e872c481a594ea77e86ba602f6d5e94971dddd3012028ff627051325
                      • Opcode Fuzzy Hash: 0bf5f1633235372da9f5ce9bd89d6690b8d66b8ac8025599397c93c78b360182
                      • Instruction Fuzzy Hash: 5F710474E116189FCB44DFE5D8895AEBBB6FF89300F20842AD816BB354DB74A941CF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: df314832efaf8810b2d2e0c24270d1d5fe632ca5f4f4f8b7c3bee1c8c94b6aef
                      • Instruction ID: 62ce91b201f3f698dfff311f95480ad85e8dab1f83b9c3d389a27a16d91ec27e
                      • Opcode Fuzzy Hash: df314832efaf8810b2d2e0c24270d1d5fe632ca5f4f4f8b7c3bee1c8c94b6aef
                      • Instruction Fuzzy Hash: 4471487192022ACFCB64CF65C844BDDBBB6BF89300F10D6EAD509A7244E7709AC58F50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3387193c6a792ba224dcf7b2d72c0ba5b5a589ecac137e9e73ec1bd13d23b7e4
                      • Instruction ID: b2757a9c8e6d6897d0f9b3e85dbd2e5266a6714d440fbdff8078359c0779155a
                      • Opcode Fuzzy Hash: 3387193c6a792ba224dcf7b2d72c0ba5b5a589ecac137e9e73ec1bd13d23b7e4
                      • Instruction Fuzzy Hash: A2615871E2422ACBDB64CF66D844B9DF7B6BF89300F14D6EAD109A7244E7709AC18F50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 01816BF8
                      • GetCurrentThread.KERNEL32 ref: 01816C35
                      • GetCurrentProcess.KERNEL32 ref: 01816C72
                      • GetCurrentThreadId.KERNEL32 ref: 01816CCB
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 9edeaeabb2f0583f2c854c84bdbd644b13eb5d148516d819165e5ae4be218497
                      • Instruction ID: 8608bb88fe9d252f93c93bbf7d11992af60465bcf2cd90b7ba9ef4e1399b7a75
                      • Opcode Fuzzy Hash: 9edeaeabb2f0583f2c854c84bdbd644b13eb5d148516d819165e5ae4be218497
                      • Instruction Fuzzy Hash: 8B5164B49003498FDB14CFA9D588BEEBBF4FF89314F208059E059A7254E7745985CF25
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 01816BF8
                      • GetCurrentThread.KERNEL32 ref: 01816C35
                      • GetCurrentProcess.KERNEL32 ref: 01816C72
                      • GetCurrentThreadId.KERNEL32 ref: 01816CCB
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: c60ca0a508bb9d398e8b427ca0ef2719979e243c0f3259946e56416ec1efded1
                      • Instruction ID: 57f8074e4706a264099699cbee493df55632e4ee02dec9bb0722f1196e81d4cc
                      • Opcode Fuzzy Hash: c60ca0a508bb9d398e8b427ca0ef2719979e243c0f3259946e56416ec1efded1
                      • Instruction Fuzzy Hash: 6C5153B49003498FDB14CFAAC588BAEBBF4FF88314F208059E159A7254E7745984CF65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 03268215
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: c56e85439b7910479de28e1255d9b3f22d1b040ac580237681104b2c1691a587
                      • Instruction ID: 6af635f6d4982ae0e7d0b4ff1e386031e0ea2399e27846d6f6f7f4d44e625c2c
                      • Opcode Fuzzy Hash: c56e85439b7910479de28e1255d9b3f22d1b040ac580237681104b2c1691a587
                      • Instruction Fuzzy Hash: F82190B58083848FCB11CFA8D894BDEBFF0EF49314F05888AD495A7651D378A544CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03262E26
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 03a82c9e3f64b5cf81531962659dadf6d34c851357587da9808b11db2c1b735f
                      • Instruction ID: d4018223b2470172328d96b102b860b74f69ccce7cdd480ffec7ae802bfdf278
                      • Opcode Fuzzy Hash: 03a82c9e3f64b5cf81531962659dadf6d34c851357587da9808b11db2c1b735f
                      • Instruction Fuzzy Hash: 1CA13971D10759CFDB20CF68C881BEDBAB2BF48314F1589A9E849A7280DB7499C5CF91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03262E26
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 3305e24289f5000abd76ad89be074dec2e0d79cbb0bbd8d3fea6f2a7e021a30e
                      • Instruction ID: 9afac71ce72eab158752f5fbf6cff74611ada3db6609bcf2406229c9dc1459b1
                      • Opcode Fuzzy Hash: 3305e24289f5000abd76ad89be074dec2e0d79cbb0bbd8d3fea6f2a7e021a30e
                      • Instruction Fuzzy Hash: 24914B71D10759CFDB20CF68C884BEDBAB2BF48314F1589A9D849A7280DB7499C5CF91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0181BE0E
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 4db7d0961fb9094228f850e132739929b9970e95ca9d043e62c8fca9e49251ff
                      • Instruction ID: 3d10b973301f0077e2ed4b3be34019951423bd0f79b5ee3e87554217d3519388
                      • Opcode Fuzzy Hash: 4db7d0961fb9094228f850e132739929b9970e95ca9d043e62c8fca9e49251ff
                      • Instruction Fuzzy Hash: 03812471A00B058FDB24CF6AC09475ABBF5BF88304F008A2DD58ADBA54DB35E945CF91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0181DD8A
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: f500c7d6fd72feba205d08f502efeb76723c9f83914f052ad9aad2dcbdeae971
                      • Instruction ID: 7032366c2e5c7995f03c33a0b360aa4f607341b39df8a4547b362d6bf6663012
                      • Opcode Fuzzy Hash: f500c7d6fd72feba205d08f502efeb76723c9f83914f052ad9aad2dcbdeae971
                      • Instruction Fuzzy Hash: 5A51CDB1D00309DFDF14CFA9C884ADEBBB5BF48314F64862AE819AB254D7749985CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0181DD8A
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: 219321a518c3ed942b5392ad8d0f2615b0b57183ad8c1478e7dfe660784f0c81
                      • Instruction ID: 09ddf19d4fb68c0ea5a507a8885bb94088125db46e2f1429f408e9aad5e9d52e
                      • Opcode Fuzzy Hash: 219321a518c3ed942b5392ad8d0f2615b0b57183ad8c1478e7dfe660784f0c81
                      • Instruction Fuzzy Hash: E541CEB1D00308DFDB14CF99C884ADEBFB5BF48314F24862AE819AB254D7749945CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01816E47
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 9313b5abf9a38368e98089b2c7575d2137f199940edad8458004ff49791039b9
                      • Instruction ID: c9dde2afd03cc2fe5e1d463cd810b1636486febcaab2a9da2b27529db2d3d6f7
                      • Opcode Fuzzy Hash: 9313b5abf9a38368e98089b2c7575d2137f199940edad8458004ff49791039b9
                      • Instruction Fuzzy Hash: 7D415A769002089FCF11CF99D880ADEBFF9EF49310F14805AE944E7220D3759A55CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 032629F8
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 85003a3b79959879e203cc0f1af4f4bd7084ea232c1bc4a898fd00485f5bdcaf
                      • Instruction ID: cf63e0a247aa932103d4aa62716965279070bca76b8a77ce0b12ae4f98992a57
                      • Opcode Fuzzy Hash: 85003a3b79959879e203cc0f1af4f4bd7084ea232c1bc4a898fd00485f5bdcaf
                      • Instruction Fuzzy Hash: D32148B5900349CFCB10CFA9C9817EEBBF1FF48314F14882AE959A7640D7789984CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 032629F8
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: f7a95c233a308efe48d9726599c8ab5915caa30467cc4a4f937d9b3020462306
                      • Instruction ID: 09179d0a5ea867dabe4d902eda304f4472e16ba95593e13c42faa35f91794693
                      • Opcode Fuzzy Hash: f7a95c233a308efe48d9726599c8ab5915caa30467cc4a4f937d9b3020462306
                      • Instruction Fuzzy Hash: A2212871900349DFCB10CFA9C884BEEBBF5FF48314F148429E959A7240D7789984CBA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • SetThreadContext.KERNELBASE(?,00000000), ref: 0326284E
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: ContextThread
                      • String ID:
                      • API String ID: 1591575202-0
                      • Opcode ID: 674f111a5a049423bc93064ac2d5daede1921fe3cd41a79f8ccf702e4aadfb9b
                      • Instruction ID: 72eb3548f0df5dc9fe87b5f24526269513a289c0a6bf97aac57ca7488fa89dd6
                      • Opcode Fuzzy Hash: 674f111a5a049423bc93064ac2d5daede1921fe3cd41a79f8ccf702e4aadfb9b
                      • Instruction Fuzzy Hash: B2212571D003098FDB10DFAAD8847EEBBF5AF88314F14842ED559A7640D7789985CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01816E47
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: b505020e7db15e6eca5017d52b8121d59809315065443c300eae001e7219787d
                      • Instruction ID: ad3bad5a7917dba93b0866686bf2a047b725467b2c49c741d03d7795c33a2bf2
                      • Opcode Fuzzy Hash: b505020e7db15e6eca5017d52b8121d59809315065443c300eae001e7219787d
                      • Instruction Fuzzy Hash: 422107B59003489FDB10CFA9D884ADEBFF4EF48314F14841AE954A7310D374A944CFA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03262AD8
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: cb4f8f725fac58aa9ecde96ef12d57a9c5a9dba63c0761448148fe1f20a666c5
                      • Instruction ID: 9c14703b18170fd0866106155ecd6b5d5d480354d1dce625a70b1be3d4fb59af
                      • Opcode Fuzzy Hash: cb4f8f725fac58aa9ecde96ef12d57a9c5a9dba63c0761448148fe1f20a666c5
                      • Instruction Fuzzy Hash: 0F2105B19003498FCB10CFA9D9817EEBBF1FF48314F14882AD958A7250D7789955CBA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • SetThreadContext.KERNELBASE(?,00000000), ref: 0326284E
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: ContextThread
                      • String ID:
                      • API String ID: 1591575202-0
                      • Opcode ID: 0c785e896b9e55d6c8f7b1f36b486c9fa41be2c0b30c3e39dd367665c05a0831
                      • Instruction ID: c9021089175fd2b2167e30e8742ec7d5f692a273fc7e8efb291c0a218850186f
                      • Opcode Fuzzy Hash: 0c785e896b9e55d6c8f7b1f36b486c9fa41be2c0b30c3e39dd367665c05a0831
                      • Instruction Fuzzy Hash: A5213871D003098FCB10DFAAC8847EEBBF4AF88214F14842ED559A7240DB789985CFA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03262AD8
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: b02d6638ac5c2f2f238d56f5346ffeacaebea555ff1c6f1d15e8c73a9dee2508
                      • Instruction ID: 77943f44f0632715f251673d12fc69e57d55ebcdd7ee30e810d5285135452c92
                      • Opcode Fuzzy Hash: b02d6638ac5c2f2f238d56f5346ffeacaebea555ff1c6f1d15e8c73a9dee2508
                      • Instruction Fuzzy Hash: 4B2128B18003499FCB10DFAAC880BEEBBF5FF48314F10842EE958A7240C7789945CBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01816E47
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 464552ff717d389983b078e865b8b86c0341a69e70855f921c8563ade819ba34
                      • Instruction ID: 3d35f9942ea6835bf2a740f2dffa03a1133331459f648d3175018bf573e1e8ec
                      • Opcode Fuzzy Hash: 464552ff717d389983b078e865b8b86c0341a69e70855f921c8563ade819ba34
                      • Instruction Fuzzy Hash: 7E21C6B59002489FDB10CF99D884ADEBBF8EB48314F14851AE954A7350D374A944CFA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03262916
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 07f7dbb92976184a0faf42fb5a446477a4c0ca8eb4f3e0d65781808531ebb786
                      • Instruction ID: 237b28f49d1ecdc806e1f4d8fc0acdd209bec0e41993d31b06daa09517501f91
                      • Opcode Fuzzy Hash: 07f7dbb92976184a0faf42fb5a446477a4c0ca8eb4f3e0d65781808531ebb786
                      • Instruction Fuzzy Hash: 1A1159729002498FCF10DFA9D8447EEBBF1AF88314F148829E915A7650C7359941CFA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0181BE89,00000800,00000000,00000000), ref: 0181C09A
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 083634744a0693867a8412e4c23c1085c5bf82e6f131cc7b51d1a49514b9782d
                      • Instruction ID: a9cf31530e3be408f0b960be30ae4f9e58adde91e9800ccd6fedb79608a56e77
                      • Opcode Fuzzy Hash: 083634744a0693867a8412e4c23c1085c5bf82e6f131cc7b51d1a49514b9782d
                      • Instruction Fuzzy Hash: 481114B69002088FDB24CF9AD444BDEFBF8EB49354F00852EE919B7200C375AA45CFA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0181BE89,00000800,00000000,00000000), ref: 0181C09A
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: cd631efbc216a2c5609eb930dc91e14290e947b10a14120618a07ca3d1b3ca51
                      • Instruction ID: 3ec8451f1141006803bfbeb62619cbfaf6b9ebd46a9d282eb4a4a031539d9796
                      • Opcode Fuzzy Hash: cd631efbc216a2c5609eb930dc91e14290e947b10a14120618a07ca3d1b3ca51
                      • Instruction Fuzzy Hash: 091106B6C003499FDB10CF9AD444BDEFBF4AB49314F14851AD955A7200C375A645CFA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03262916
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 0a77ed951d63135840faa44e77ee7bebb9f464f0e06093524b25bac7028feda5
                      • Instruction ID: 55e0bc86644861873b81154e439b14bb71c053ad921e298790b501556257cccc
                      • Opcode Fuzzy Hash: 0a77ed951d63135840faa44e77ee7bebb9f464f0e06093524b25bac7028feda5
                      • Instruction Fuzzy Hash: D11126729002499BCB10DFAAC844BEFBBF5AF88324F148819E555A7250C7759944CFA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 7a332271ad4feb3de41576429c8bfb960a287a3bc930bb19c6fdd7647e6d3269
                      • Instruction ID: 1d8d62a1e35a7bf4c5bd919705ffb62bee16866ddf05e888dd508eb83986e5e1
                      • Opcode Fuzzy Hash: 7a332271ad4feb3de41576429c8bfb960a287a3bc930bb19c6fdd7647e6d3269
                      • Instruction Fuzzy Hash: F5113AB1D043498BCB10DFAAC4447EFFBF5AF88224F14882DD519A7640C778A944CFA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 95790d76a8c9a09e0b522e54102163a95c133de018511859682f5d709dab4148
                      • Instruction ID: f21e0d3a770b8def455358f5c19293728a5944719a17d3fafe6ec2869dd4c6ed
                      • Opcode Fuzzy Hash: 95790d76a8c9a09e0b522e54102163a95c133de018511859682f5d709dab4148
                      • Instruction Fuzzy Hash: B51128B6D003498BCB14DFA9C8847EEBBF5AF48224F14881AC559B7640D7789985CFA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0181BE0E
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 3a138941cdd0f762a709c216fb856d6ca2ed219a0885ddf2abf7904ec0045159
                      • Instruction ID: fbde2fec7228b29d75250d30682e88232050615135db8764b73464309255bf44
                      • Opcode Fuzzy Hash: 3a138941cdd0f762a709c216fb856d6ca2ed219a0885ddf2abf7904ec0045159
                      • Instruction Fuzzy Hash: C111E0B6D006498FDB14CF9AD444BDEFBF8EF88324F14851AD929A7600D378A645CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 03268215
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: a185d89b28171c7c127875e7404b2cee2f47dd703b20e19ce24054ed5e5aaa49
                      • Instruction ID: 8ee50f7fbf804cfb4a56f2bad13ea6c5e49b8e4cb4a410505b60dfc53aefe1ba
                      • Opcode Fuzzy Hash: a185d89b28171c7c127875e7404b2cee2f47dd703b20e19ce24054ed5e5aaa49
                      • Instruction Fuzzy Hash: 8C11E2B58007499FDB10DF99D884BEEFBF8FB48324F14841AE959A7600D374A984CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • SetWindowLongW.USER32(?,?,?), ref: 0181DF1D
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: LongWindow
                      • String ID:
                      • API String ID: 1378638983-0
                      • Opcode ID: d7036d0abc4421fb4075a88e84547d65680fae518443e15b14f6a30c069d9cc6
                      • Instruction ID: 8bf375c805f05d5a35eb307921612f9ce5b9e031556c9b5bb97d82c2a6b2ffcd
                      • Opcode Fuzzy Hash: d7036d0abc4421fb4075a88e84547d65680fae518443e15b14f6a30c069d9cc6
                      • Instruction Fuzzy Hash: 6F11E2B68002499FDB10DF99D488BDEBBF8EB48324F10851AE959A7740C374AA44CFA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      APIs
                      • SetWindowLongW.USER32(?,?,?), ref: 0181DF1D
                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID: LongWindow
                      • String ID:
                      • API String ID: 1378638983-0
                      • Opcode ID: 6aaf0b096d24670c38700aa784ca64f75994a6a510ee45e102b78e2779ca7f5a
                      • Instruction ID: 628855698a7940736a654f547d2b4cca9f415469965051b4b69bd4daacde58f3
                      • Opcode Fuzzy Hash: 6aaf0b096d24670c38700aa784ca64f75994a6a510ee45e102b78e2779ca7f5a
                      • Instruction Fuzzy Hash: 831112B6800208CFDB10CF99D584BDEBBF8EB48324F14851AD919B7740C378AA44CFA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243137669.00000000017AD000.00000040.00000001.sdmp, Offset: 017AD000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 62bed1e9aaec66bce7c7a560019c05c1bb4c99025eff594f0f0de196f2d37f51
                      • Instruction ID: 53613a675cd084caf5ff974ef24e86d9d5d13a11a731fbb5ff5966a4ee659f4b
                      • Opcode Fuzzy Hash: 62bed1e9aaec66bce7c7a560019c05c1bb4c99025eff594f0f0de196f2d37f51
                      • Instruction Fuzzy Hash: D52148B1504240DFDB15CF84C9C0B26FFA5FBC8328F3486A8E9454B606C336D855CBA2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243162027.00000000017BD000.00000040.00000001.sdmp, Offset: 017BD000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a7d57680bcf2a9ff195cb986ba91a6e6c7a645d2912515cbe2af5fbb091e7b26
                      • Instruction ID: 7c64f575521d16aca5ca5d9f6b32015ad39376b992c8f7d37e833859dea1c2a4
                      • Opcode Fuzzy Hash: a7d57680bcf2a9ff195cb986ba91a6e6c7a645d2912515cbe2af5fbb091e7b26
                      • Instruction Fuzzy Hash: 03213775508340DFDB25CF54D9C4B66FB61FB88358F24C5ADE9494B246C336D807CA61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243137669.00000000017AD000.00000040.00000001.sdmp, Offset: 017AD000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1052528d2a480f76dc71ac9e8dbd293b344636eb2c816d04f2bc4dbd12c30dd9
                      • Instruction ID: 555deb8a320f037439af5b3f81d155d7e37709d08de83522cdb620393915e121
                      • Opcode Fuzzy Hash: 1052528d2a480f76dc71ac9e8dbd293b344636eb2c816d04f2bc4dbd12c30dd9
                      • Instruction Fuzzy Hash: 8811B176404280CFDB16CF54D9C4B16FF71FB84324F2486A9D8450B616C33AD556CBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243162027.00000000017BD000.00000040.00000001.sdmp, Offset: 017BD000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d2bd1360a98e8ff9346120b639037a4f130e4da254582f11a4a56d58ba833309
                      • Instruction ID: 3681f136b2dbdeb3b8d983c251976978d86b445eca99de726ced7b41b4cbfd4f
                      • Opcode Fuzzy Hash: d2bd1360a98e8ff9346120b639037a4f130e4da254582f11a4a56d58ba833309
                      • Instruction Fuzzy Hash: 1F11D075504280CFDB12CF14D5C4B55FF71FB44318F28C6A9D8094B656C33AD44ACB61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243137669.00000000017AD000.00000040.00000001.sdmp, Offset: 017AD000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d9f678bc2a66d5999932a436759d70d65cc5cc12e8e40fe4c6d1a775724272cc
                      • Instruction ID: a9b33684e960b08d3bde1176974fcf17ca4acfb123a4f8ab4759b956753ad6db
                      • Opcode Fuzzy Hash: d9f678bc2a66d5999932a436759d70d65cc5cc12e8e40fe4c6d1a775724272cc
                      • Instruction Fuzzy Hash: 2101F7710083C09AE7344A55CC84B66FF98EF81324F48C65AEE045A647C3789844C6B5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243137669.00000000017AD000.00000040.00000001.sdmp, Offset: 017AD000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b0b1be465be6cd9b2ca47b61e714d63fd0961755d51ea896d81c79106ead3a96
                      • Instruction ID: 091d82f0a7ee79f1d43dfdea8075118a20a872d0fa8d002112baef18e6702f1f
                      • Opcode Fuzzy Hash: b0b1be465be6cd9b2ca47b61e714d63fd0961755d51ea896d81c79106ead3a96
                      • Instruction Fuzzy Hash: ADF062714042849AE7258E5ADCC4B62FFA8EF81734F18C55AED085B697C3799844CAB1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: #mX$'jT
                      • API String ID: 0-2170581488
                      • Opcode ID: 7e336545d3e8729adb4b0d817ac64b7d5a8ad9b334dbe1cae6e4c6203ebd5ffc
                      • Instruction ID: 94ad8261325640427e733f4b6e729bb8f36e3d191260916480821dafb5fb6bf9
                      • Opcode Fuzzy Hash: 7e336545d3e8729adb4b0d817ac64b7d5a8ad9b334dbe1cae6e4c6203ebd5ffc
                      • Instruction Fuzzy Hash: ED414670E26209DFDB14CFA9E5805ADFBF2FF89214F20A52AD006B7258D7749D82CB14
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: %#D
                      • API String ID: 0-8865091
                      • Opcode ID: 8a398491ea3b0b7e761e85d3df4eb1f4a0b3b3528fa3e9baa2fc3ec57f58fb1c
                      • Instruction ID: facda177208b5b8b2fc7bfc979fbdfa56d3326734a2154dfad08cc2c769f36a0
                      • Opcode Fuzzy Hash: 8a398491ea3b0b7e761e85d3df4eb1f4a0b3b3528fa3e9baa2fc3ec57f58fb1c
                      • Instruction Fuzzy Hash: 2891F874E25209CFCB18CFA5D5815DEFBF2EF89301F20942AD409BB258DB709A818F65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: %#D
                      • API String ID: 0-8865091
                      • Opcode ID: a44e578dc5b8b9da41ed0cea178e321fbc4fd5bbb3511f01603cbb15aa1b7924
                      • Instruction ID: 0b7a036a599486804ab7108597848c1e05a59f6e04b80661dade64dd01e98bd0
                      • Opcode Fuzzy Hash: a44e578dc5b8b9da41ed0cea178e321fbc4fd5bbb3511f01603cbb15aa1b7924
                      • Instruction Fuzzy Hash: 25911774E25209CFCB08CFA9D58159EFBF2EF89301F20946AD405BB218DB709A81CF55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.245050639.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 85464d5aa124241326e8556368701218787e4220739d074414921effc30b27bc
                      • Instruction ID: 5c0089732b380bb99c58bbc3ae082f600ea17dc95a30e1132e8168e4ec2f3935
                      • Opcode Fuzzy Hash: 85464d5aa124241326e8556368701218787e4220739d074414921effc30b27bc
                      • Instruction Fuzzy Hash: 55D1F730D20B5A8ACB10EF64C994AA9B7B1FFD5300F50D79AD60977214EF706AC9CB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243226093.0000000001810000.00000040.00000001.sdmp, Offset: 01810000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7df127be31f765dfcee737fdb68d9fa30c0180bb05d900580c507ad4f353d851
                      • Instruction ID: 295de06b2786f64aad0e76c8bdb64b48e732444264f617783d95c7631f10ec95
                      • Opcode Fuzzy Hash: 7df127be31f765dfcee737fdb68d9fa30c0180bb05d900580c507ad4f353d851
                      • Instruction Fuzzy Hash: C6A19136E0021A8FCF05DFB9C8445DDBBB6FF85300B15856AE905EB225EB35AA55CB40
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.245050639.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5f6e6c470562f2f278068d081729425a7be02c8601883ded639de4ecea5ab73f
                      • Instruction ID: c7c92471e3ad2dd1839ed87747f78f1057b583680743654f42a8debd922059e9
                      • Opcode Fuzzy Hash: 5f6e6c470562f2f278068d081729425a7be02c8601883ded639de4ecea5ab73f
                      • Instruction Fuzzy Hash: 68D1F730D2075A8ACB10EF64C994AA9B7B1FFD5300F50D79AD60977214EF70AAC9CB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4eba8bae64ae4e92de1289bdfd280ecc640a8b1c1815c3b131abdd22843d9796
                      • Instruction ID: 1e3093f7591486898879121fcd0e9d21126fb90e7063b1c8d82afbc4f358916c
                      • Opcode Fuzzy Hash: 4eba8bae64ae4e92de1289bdfd280ecc640a8b1c1815c3b131abdd22843d9796
                      • Instruction Fuzzy Hash: 04819F70E1924A9FCB04CFA9C4815AEFBF2EF89300F18C46AC555B7295D7749581CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: decfdf525a421198d9e45586c74fe4be7b77efd06eb60462a62baf2cb566881c
                      • Instruction ID: 7784ebbbe0e734e784df4da2a0ee83fa7466088af7439427232a019cd54dbe34
                      • Opcode Fuzzy Hash: decfdf525a421198d9e45586c74fe4be7b77efd06eb60462a62baf2cb566881c
                      • Instruction Fuzzy Hash: 95716970E2860A9FCB04CFA9C5859AEFBF2EF88310F14D469D515B7294D7749A81CFA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.243341862.0000000003260000.00000040.00000001.sdmp, Offset: 03260000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 33febedfe57268645704e28fbf7b2dda22003cc7ba3502aabe29e3a6924e0300
                      • Instruction ID: 3aa5957de96520ef6289fb1e5afbaa01649eb966d5d4f401d4a98a59948bada1
                      • Opcode Fuzzy Hash: 33febedfe57268645704e28fbf7b2dda22003cc7ba3502aabe29e3a6924e0300
                      • Instruction Fuzzy Hash: 8E515A328492828FC725CF78CCD6285BBB1BF5A30876D099DC8D54B612E73576B1CB86
                      Uniqueness

                      Uniqueness Score: -1.00%