Loading ...

Play interactive tourEdit tour

Analysis Report Quotation_Order.pdf.exe

Overview

General Information

Sample Name:Quotation_Order.pdf.exe
Analysis ID:412548
MD5:9ec5d09c8adefbf30598a5bd5f8d826e
SHA1:f296a55c93796fa015fb4b071122435062cc995d
SHA256:53e8a1a34cdfdd3e81842a5211699596cc2da10ef2a94554d330f99b749a214e
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • Quotation_Order.pdf.exe (PID: 3632 cmdline: 'C:\Users\user\Desktop\Quotation_Order.pdf.exe' MD5: 9EC5D09C8ADEFBF30598A5BD5F8D826E)
    • schtasks.exe (PID: 4728 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NzjsARuyfeoDS' /XML 'C:\Users\user\AppData\Local\Temp\tmpAE98.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 5016 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.505268694.00000000056C0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000005.00000002.505268694.00000000056C0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 20 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    5.2.MSBuild.exe.41eff7c.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    5.2.MSBuild.exe.41eff7c.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    5.2.MSBuild.exe.41eff7c.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      5.2.MSBuild.exe.58d0000.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      5.2.MSBuild.exe.58d0000.8.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      Click to see the 34 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5016, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5016, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Possible Applocker BypassShow sources
      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation_Order.pdf.exe' , ParentImage: C:\Users\user\Desktop\Quotation_Order.pdf.exe, ParentProcessId: 3632, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5016

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5016, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5016, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000005.00000002.504649374.00000000041E9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: wealth2021.ddns.netVirustotal: Detection: 6%Perma Link
      Source: wealth2021.ddns.netVirustotal: Detection: 6%Perma Link
      Source: 185.140.53.138Virustotal: Detection: 8%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\NzjsARuyfeoDS.exeReversingLabs: Detection: 25%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Quotation_Order.pdf.exeReversingLabs: Detection: 25%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.501077048.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.242494583.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.504649374.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.495341010.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.242708300.0000000004005000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation_Order.pdf.exe PID: 3632, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5016, type: MEMORY
      Source: Yara matchFile source: 5.2.MSBuild.exe.41eff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.58d0000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.41eb146.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.41f45a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.58d4629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.58d0000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.41eff7c.2.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\NzjsARuyfeoDS.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Quotation_Order.pdf.exeJoe Sandbox ML: detected
      Source: 5.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 5.2.MSBuild.exe.58d0000.8.unpackAvira: Label: TR/NanoCore.fadte
      Source: Quotation_Order.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: Quotation_Order.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04EC8300
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04EC82F0
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_04EC83B4

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: wealth2021.ddns.net
      Source: Malware configuration extractorURLs: 185.140.53.138
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: wealth2021.ddns.net
      Source: global trafficTCP traffic: 192.168.2.7:49699 -> 185.140.53.138:20221
      Source: Joe Sandbox ViewIP Address: 185.140.53.138 185.140.53.138
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.4
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
      Source: unknownDNS traffic detected: queries for: clientconfig.passport.net
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49677
      Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
      Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
      Source: MSBuild.exe, 00000005.00000002.504649374.00000000041E9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.501077048.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.242494583.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.504649374.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.495341010.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.242708300.0000000004005000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation_Order.pdf.exe PID: 3632, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5016, type: MEMORY
      Source: Yara matchFile source: 5.2.MSBuild.exe.41eff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.58d0000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.41eb146.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.41f45a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.58d4629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.58d0000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.41eff7c.2.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000005.00000002.505268694.00000000056C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.242494583.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.242494583.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.504649374.00000000041E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000002.495341010.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000005.00000002.495341010.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.242708300.0000000004005000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.242708300.0000000004005000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Quotation_Order.pdf.exe PID: 3632, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation_Order.pdf.exe PID: 3632, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: MSBuild.exe PID: 5016, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: MSBuild.exe PID: 5016, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.MSBuild.exe.41eff7c.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.MSBuild.exe.58d0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.MSBuild.exe.41eb146.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.MSBuild.exe.41eb146.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.MSBuild.exe.41f45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.MSBuild.exe.58d4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.MSBuild.exe.56c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.MSBuild.exe.58d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.2.MSBuild.exe.41eff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 5.2.MSBuild.exe.31daf08.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Quotation_Order.pdf.exe
      Source: initial sampleStatic PE information: Filename: Quotation_Order.pdf.exe
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_0156C2B01_2_0156C2B0
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_015699D81_2_015699D8
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC44601_2_04EC4460
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC3D681_2_04EC3D68
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC39F81_2_04EC39F8
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC4A781_2_04EC4A78
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC8A311_2_04EC8A31
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC72041_2_04EC7204
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC54A71_2_04EC54A7
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC54B81_2_04EC54B8
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC44501_2_04EC4450
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC3D581_2_04EC3D58
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC58E11_2_04EC58E1
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC58F01_2_04EC58F0
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC18D01_2_04EC18D0
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC18891_2_04EC1889
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC38291_2_04EC3829
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC39E81_2_04EC39E8
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC5AEB1_2_04EC5AEB
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC12891_2_04EC1289
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC12981_2_04EC1298
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC4A681_2_04EC4A68
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC5B701_2_04EC5B70
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeCode function: 1_2_04EC5B191_2_04EC5B19
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0151E4715_2_0151E471
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0151E4805_2_0151E480
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_0151BBD45_2_0151BBD4
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_056B65505_2_056B6550
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_056BC6705_2_056BC670
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_056B4A505_2_056B4A50
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_056BF4285_2_056BF428
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_056B3E305_2_056B3E30
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_056BBA585_2_056BBA58
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_056BC72E5_2_056BC72E
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 5_2_056B4B085_2_056B4B08
      Source: Quotation_Order.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: NzjsARuyfeoDS.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Quotation_Order.pdf.exeBinary or memory string: OriginalFilename vs Quotation_Order.pdf.exe
      Source: Quotation_Order.pdf.exe, 00000001.00000002.241246228.0000000000B22000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEnvironmentVariableTarget.exeP vs Quotation_Order.pdf.exe
      Source: Quotation_Order.pdf.exe, 00000001.00000002.246806809.000000000BFF0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Quotation_Order.pdf.exe
      Source: Quotation_Order.pdf.exe, 00000001.00000002.246806809.000000000BFF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quotation_Order.pdf.exe
      Source: Quotation_Order.pdf.exe, 00000001.00000002.246339335.00000000062B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Quotation_Order.pdf.exe
      Source: Quotation_Order.pdf.exe, 00000001.00000002.246658002.000000000BF00000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Quotation_Order.pdf.exe
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs Quotation_Order.pdf.exe
      Source: Quotation_Order.pdf.exeBinary or memory string: OriginalFilenameEnvironmentVariableTarget.exeP vs Quotation_Order.pdf.exe
      Source: Quotation_Order.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000005.00000002.505268694.00000000056C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000005.00000002.505268694.00000000056C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.242494583.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.242494583.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000002.504649374.00000000041E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000002.495341010.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000005.00000002.495341010.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.242708300.0000000004005000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.242708300.0000000004005000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Quotation_Order.pdf.exe PID: 3632, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation_Order.pdf.exe PID: 3632, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: MSBuild.exe PID: 5016, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: MSBuild.exe PID: 5016, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.MSBuild.exe.41eff7c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.41eff7c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.MSBuild.exe.58d0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.58d0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.MSBuild.exe.41eb146.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.41eb146.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.MSBuild.exe.41eb146.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.MSBuild.exe.41f45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.41f45a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.MSBuild.exe.58d4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.58d4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.MSBuild.exe.56c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.56c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.MSBuild.exe.58d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.58d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.2.MSBuild.exe.41eff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.41eff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 5.2.MSBuild.exe.31daf08.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 5.2.MSBuild.exe.31daf08.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: Quotation_Order.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: NzjsARuyfeoDS.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@13/1
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeFile created: C:\Users\user\AppData\Roaming\NzjsARuyfeoDS.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_01
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\bkNPcNhvYxS
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ae697278-0563-480d-a326-4f0ab2164ba0}
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAE98.tmpJump to behavior
      Source: Quotation_Order.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
      Source: Quotation_Order.pdf.exeReversingLabs: Detection: 25%
      Source: Quotation_Order.pdf.exeString found in binary or memory: ^(Male|Female)$-Add Student Details :-
      Source: Quotation_Order.pdf.exeString found in binary or memory: Teacher Name-Add Teacher Details :-
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeFile read: C:\Users\user\Desktop\Quotation_Order.pdf.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation_Order.pdf.exe 'C:\Users\user\Desktop\Quotation_Order.pdf.exe'
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NzjsARuyfeoDS' /XML 'C:\Users\user\AppData\Local\Temp\tmpAE98.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NzjsARuyfeoDS' /XML 'C:\Users\user\AppData\Local\Temp\tmpAE98.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Quotation_Order.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Quotation_Order.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: initial sampleStatic PE information: section name: .text entropy: 7.64683515737
      Source: initial sampleStatic PE information: section name: .text entropy: 7.64683515737
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeFile created: C:\Users\user\AppData\Roaming\NzjsARuyfeoDS.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NzjsARuyfeoDS' /XML 'C:\Users\user\AppData\Local\Temp\tmpAE98.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: pdf.exeStatic PE information: Quotation_Order.pdf.exe
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation_Order.pdf.exe PID: 3632, type: MEMORY
      Source: Yara matchFile source: 1.2.Quotation_Order.pdf.exe.2ed8f84.1.raw.unpack, type: UNPACKEDPE
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 6242Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 3336Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 1004Jump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exe TID: 4312Thread sleep time: -104417s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exe TID: 5516Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5948Thread sleep time: -10145709240540247s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeThread delayed: delay time: 104417Jump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: MSBuild.exe, 00000005.00000002.506133432.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: MSBuild.exe, 00000005.00000002.506133432.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: MSBuild.exe, 00000005.00000002.506133432.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: MSBuild.exe, 00000005.00000002.506133432.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and writeJump to behavior
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000Jump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000Jump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F8B008Jump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NzjsARuyfeoDS' /XML 'C:\Users\user\AppData\Local\Temp\tmpAE98.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
      Source: MSBuild.exe, 00000005.00000002.499931451.0000000001AC0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
      Source: MSBuild.exe, 00000005.00000002.505954656.00000000064DD000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: MSBuild.exe, 00000005.00000002.499931451.0000000001AC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: MSBuild.exe, 00000005.00000002.499931451.0000000001AC0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: MSBuild.exe, 00000005.00000002.506028720.000000000671D000.00000004.00000001.sdmpBinary or memory string: 5lProgram Manager
      Source: MSBuild.exe, 00000005.00000002.499931451.0000000001AC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: MSBuild.exe, 00000005.00000002.501682735.00000000032EB000.00000004.00000001.sdmpBinary or memory string: Program Manager`
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeQueries volume information: C:\Users\user\Desktop\Quotation_Order.pdf.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\Quotation_Order.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.501077048.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.242494583.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.504649374.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.495341010.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.242708300.0000000004005000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation_Order.pdf.exe PID: 3632, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5016, type: MEMORY
      Source: Yara matchFile source: 5.2.MSBuild.exe.41eff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.58d0000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.41eb146.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.41f45a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.58d4629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.58d0000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.41eff7c.2.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: Quotation_Order.pdf.exe, 00000001.00000002.242708300.0000000004005000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: MSBuild.exe, 00000005.00000002.505268694.00000000056C0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: MSBuild.exe, 00000005.00000002.505268694.00000000056C0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.501077048.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.242494583.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.504649374.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.495341010.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.242708300.0000000004005000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation_Order.pdf.exe PID: 3632, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 5016, type: MEMORY
      Source: Yara matchFile source: 5.2.MSBuild.exe.41eff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.58d0000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.41eb146.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.41f45a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.58d4629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.58d0000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Quotation_Order.pdf.exe.3f6c678.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.2.MSBuild.exe.41eff7c.2.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Process Injection312Masquerading11Input Capture11Security Software Discovery211Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol22Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information12Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Quotation_Order.pdf.exe26%ReversingLabsWin32.Trojan.AgentTesla
      Quotation_Order.pdf.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\NzjsARuyfeoDS.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\NzjsARuyfeoDS.exe26%ReversingLabsWin32.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      5.2.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      5.2.MSBuild.exe.58d0000.8.unpack100%AviraTR/NanoCore.fadteDownload File

      Domains

      SourceDetectionScannerLabelLink
      wealth2021.ddns.net7%VirustotalBrowse
      clientconfig.passport.net0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      wealth2021.ddns.net7%VirustotalBrowse
      wealth2021.ddns.net0%Avira URL Cloudsafe
      185.140.53.1388%VirustotalBrowse
      185.140.53.1380%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      wealth2021.ddns.net
      185.140.53.138
      truetrueunknown
      clientconfig.passport.net
      unknown
      unknowntrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      wealth2021.ddns.nettrue
      • 7%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      185.140.53.138true
      • 8%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQuotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpfalse
        high
        https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssQuotation_Order.pdf.exe, 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmpfalse
          high

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          185.140.53.138
          wealth2021.ddns.netSweden
          209623DAVID_CRAIGGGtrue

          General Information

          Joe Sandbox Version:32.0.0 Black Diamond
          Analysis ID:412548
          Start date:12.05.2021
          Start time:19:08:39
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 8m 9s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:Quotation_Order.pdf.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:31
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@6/5@13/1
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 0% (good quality ratio 0%)
          • Quality average: 39%
          • Quality standard deviation: 0%
          HCA Information:
          • Successful, ratio: 99%
          • Number of executed functions: 70
          • Number of non-executed functions: 14
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • Excluded IPs from analysis (whitelisted): 88.221.62.148, 92.123.150.225, 20.190.160.75, 20.190.160.4, 20.190.160.8, 20.190.160.129, 20.190.160.134, 20.190.160.2, 20.190.160.132, 20.190.160.73, 13.88.21.125, 131.253.33.200, 13.107.22.200, 20.50.102.62, 104.43.193.48, 92.122.145.220, 184.30.24.56, 20.82.210.154, 2.20.143.16, 2.20.142.209, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129
          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, msagfx.live.com-6.edgekey.net, e12564.dspb.akamaiedge.net, authgfx.msa.akadns6.net, go.microsoft.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          19:09:31API Interceptor2x Sleep call for process: Quotation_Order.pdf.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          185.140.53.138New_Order.pdf.exeGet hashmaliciousBrowse
            New_Quotation_Request.pdf.exeGet hashmaliciousBrowse
              QUOTATION_ORDER.pdf.exeGet hashmaliciousBrowse
                URGENTPURCHASEORDER.pdf.exeGet hashmaliciousBrowse
                  NEW_ORDER.pdf.exeGet hashmaliciousBrowse
                    NEW_ORDER.pdf.exeGet hashmaliciousBrowse
                      Quotation_Request.pdf.exeGet hashmaliciousBrowse
                        URGENT_ORDER.pdf.exeGet hashmaliciousBrowse
                          Purchase_Order.pdf.exeGet hashmaliciousBrowse
                            1PH37n4Gva.exeGet hashmaliciousBrowse
                              35dbds3GQG.exeGet hashmaliciousBrowse
                                QXJGE2LOdP.exeGet hashmaliciousBrowse
                                  O4m3hDFNbh.exeGet hashmaliciousBrowse
                                    nrv_remittance#U007eorder#U007epayment.exeGet hashmaliciousBrowse
                                      NEW ORDER REQUEST_EXPORT005JKL DOC.exeGet hashmaliciousBrowse
                                        WIRE COPY ORDER T104484_PP.exeGet hashmaliciousBrowse
                                          71AXBkD1wA.exeGet hashmaliciousBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            wealth2021.ddns.netNew_Order.pdf.exeGet hashmaliciousBrowse
                                            • 185.140.53.138
                                            New_Quotation_Request.pdf.exeGet hashmaliciousBrowse
                                            • 185.140.53.138
                                            QUOTATION_ORDER.pdf.exeGet hashmaliciousBrowse
                                            • 185.140.53.138
                                            URGENTPURCHASEORDER.pdf.exeGet hashmaliciousBrowse
                                            • 185.140.53.138
                                            NEW_ORDER.pdf.exeGet hashmaliciousBrowse
                                            • 185.140.53.138
                                            NEW_ORDER.pdf.exeGet hashmaliciousBrowse
                                            • 185.140.53.138
                                            Quotation_Request.pdf.exeGet hashmaliciousBrowse
                                            • 185.140.53.138
                                            URGENT_ORDER.pdf.exeGet hashmaliciousBrowse
                                            • 185.140.53.138
                                            Purchase_Order.pdf.exeGet hashmaliciousBrowse
                                            • 185.140.53.138

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            DAVID_CRAIGGGNew_Order.pdf.exeGet hashmaliciousBrowse
                                            • 185.140.53.138
                                            PaymentConfirmation.exeGet hashmaliciousBrowse
                                            • 185.140.53.71
                                            Document - Banca Transilvania .exeGet hashmaliciousBrowse
                                            • 185.140.53.73
                                            ATTACHED DRAWING AND SPECIFICATION.jarGet hashmaliciousBrowse
                                            • 185.244.30.4
                                            ATTACHED DRAWING AND SPECIFICATION.jarGet hashmaliciousBrowse
                                            • 185.244.30.4
                                            PO.98504_samples.exeGet hashmaliciousBrowse
                                            • 185.140.53.69
                                            cotizaci#U00f3n.PDF.exeGet hashmaliciousBrowse
                                            • 185.140.53.137
                                            Order Sheet.exeGet hashmaliciousBrowse
                                            • 185.140.53.139
                                            EU_SANCTION_LETTER-05052021.exeGet hashmaliciousBrowse
                                            • 185.140.53.230
                                            purchase order 0234.exeGet hashmaliciousBrowse
                                            • 185.140.53.143
                                            ORDER-210067.xls.exeGet hashmaliciousBrowse
                                            • 185.165.153.116
                                            03_pgr.exeGet hashmaliciousBrowse
                                            • 185.140.53.71
                                            02_tmp.exeGet hashmaliciousBrowse
                                            • 185.140.53.71
                                            03_pgr.exeGet hashmaliciousBrowse
                                            • 185.140.53.71
                                            12_tmp.exeGet hashmaliciousBrowse
                                            • 185.140.53.71
                                            13_pgr.exeGet hashmaliciousBrowse
                                            • 185.140.53.71
                                            02_tmp.exeGet hashmaliciousBrowse
                                            • 185.140.53.71
                                            12_pgr.exeGet hashmaliciousBrowse
                                            • 185.140.53.71
                                            11_tmp.exeGet hashmaliciousBrowse
                                            • 185.140.53.71
                                            doc_07621DERG7011220213300.exeGet hashmaliciousBrowse
                                            • 185.140.53.230

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation_Order.pdf.exe.log
                                            Process:C:\Users\user\Desktop\Quotation_Order.pdf.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):1314
                                            Entropy (8bit):5.350128552078965
                                            Encrypted:false
                                            SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                            MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                            SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                            SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                            SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                            C:\Users\user\AppData\Local\Temp\tmpAE98.tmp
                                            Process:C:\Users\user\Desktop\Quotation_Order.pdf.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1662
                                            Entropy (8bit):5.177749092284426
                                            Encrypted:false
                                            SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBadItn:cbhH7MlNQ8/rydbz9I3YODOLNdq35
                                            MD5:E660135146E8CB0D32A8D919D3E5EDFB
                                            SHA1:C926BAB73227531FCC10FC858EEEA95C2E8F5919
                                            SHA-256:8ABE6F5D752965C7580F731D6B8913D0411CC11AEA384DF0129E0BD00A6D7B38
                                            SHA-512:E08C424B67F986918BEDA54E6405C2856CAE743BA1AED87BF355A18957289522591EBB4C22FA1D1AAF610A3D86293F4ECBCE6B08573C5433CD22A3BC7154D41F
                                            Malicious:true
                                            Reputation:low
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8
                                            Entropy (8bit):3.0
                                            Encrypted:false
                                            SSDEEP:3:Zpn:7n
                                            MD5:8B98AB5B5A654BFA8F76362BCD7CF769
                                            SHA1:F96F39798591F166592E2FC6C9F763EE8AA76C0C
                                            SHA-256:BB6F884AF6AC368C3CD908AB97CB53B1EDDFE5C38867792A648F93C43D63A2E5
                                            SHA-512:6FF9761941D6A72BBC25DF41CF4C96F18CC340ACCF9AC50255DEADBB86EB34A8721BF201AB32AA30B46A86FB6CB7A8AE791FE025337E29FDEF23957076414DC6
                                            Malicious:true
                                            Reputation:low
                                            Preview: f..(...H
                                            C:\Users\user\AppData\Roaming\NzjsARuyfeoDS.exe
                                            Process:C:\Users\user\Desktop\Quotation_Order.pdf.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):845312
                                            Entropy (8bit):7.315929774120675
                                            Encrypted:false
                                            SSDEEP:12288:QTVyrD6tJgrDw4bS48LUT6CNVMwZiCckGqE7221yX87Nw6yhVphotxVgxL7s:QjE8LMhzVMPkGhJzJJgphotxVg5s
                                            MD5:9EC5D09C8ADEFBF30598A5BD5F8D826E
                                            SHA1:F296A55C93796FA015FB4B071122435062CC995D
                                            SHA-256:53E8A1A34CDFDD3E81842A5211699596CC2DA10EF2A94554D330F99B749A214E
                                            SHA-512:2BD331E31A62C443EF655F995B5262DD7BA587011E92B48AEC9F005215A10A58CBCE628B348C3F09EC911DCA8A1F60868515BB154F4F6AD18FFE3178C0284A67
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 26%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a.`..............P..6...........T... ...`....@.. .......................@............@..................................S..O....`..t.................... ....................................................... ............... ..H............text....4... ...6.................. ..`.rsrc...t....`.......8..............@..@.reloc....... ......................@..B.................S......H............................q...........................................0............( ...(!.........(.....o"....*.....................(#......($......(%......(&......('....*N..(....oS...((....*&..()....*.s*........s+........s,........s-........s.........*....0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0..<........~.....(4.....,!r...p.....(5...o6...s7............~.....+..*.0......
                                            C:\Users\user\AppData\Roaming\NzjsARuyfeoDS.exe:Zone.Identifier
                                            Process:C:\Users\user\Desktop\Quotation_Order.pdf.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview: [ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.315929774120675
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:Quotation_Order.pdf.exe
                                            File size:845312
                                            MD5:9ec5d09c8adefbf30598a5bd5f8d826e
                                            SHA1:f296a55c93796fa015fb4b071122435062cc995d
                                            SHA256:53e8a1a34cdfdd3e81842a5211699596cc2da10ef2a94554d330f99b749a214e
                                            SHA512:2bd331e31a62c443ef655f995b5262dd7ba587011e92b48aec9f005215a10a58cbce628b348c3f09ec911dca8a1f60868515bb154f4f6ad18ffe3178c0284a67
                                            SSDEEP:12288:QTVyrD6tJgrDw4bS48LUT6CNVMwZiCckGqE7221yX87Nw6yhVphotxVgxL7s:QjE8LMhzVMPkGhJzJJgphotxVg5s
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..`..............P..6...........T... ...`....@.. .......................@............@................................

                                            File Icon

                                            Icon Hash:cc92316d713396e8

                                            Static PE Info

                                            General

                                            Entrypoint:0x4b540a
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x609BE761 [Wed May 12 14:34:09 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb53b80x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x1ab74.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xb34100xb3600False0.809437608885data7.64683515737IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0xb60000x1ab740x1ac00False0.146082797897data3.15210936606IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xd20000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_ICON0xb62200x468GLS_BINARY_LSB_FIRST
                                            RT_ICON0xb66880x162aPNG image data, 256 x 256, 8-bit colormap, non-interlaced
                                            RT_ICON0xb7cb40x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0xba25c0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0xbb3040x10828dBase III DBT, version number 0, next free block index 40
                                            RT_ICON0xcbb2c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                            RT_GROUP_ICON0xcfd540x5adata
                                            RT_VERSION0xcfdb00x394data
                                            RT_MANIFEST0xd01440xa2eXML 1.0 document, UTF-8 Unicode (with BOM) text

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright 2020
                                            Assembly Version1.0.0.0
                                            InternalNameEnvironmentVariableTarget.exe
                                            FileVersion1.0.0.0
                                            CompanyName
                                            LegalTrademarks
                                            Comments
                                            ProductNameLibraryManagementSystem
                                            ProductVersion1.0.0.0
                                            FileDescriptionLibraryManagementSystem
                                            OriginalFilenameEnvironmentVariableTarget.exe

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 12, 2021 19:09:22.846283913 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846308947 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846324921 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846340895 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846357107 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846373081 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846389055 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846407890 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846426010 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846441984 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846457958 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846473932 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846488953 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846502066 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:22.846523046 CEST49683443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:22.846616983 CEST49683443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:22.998435020 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:22.998537064 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:23.059084892 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.059104919 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.481117010 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.481146097 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.481164932 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.481180906 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.481197119 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.481236935 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.481252909 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.481259108 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:23.481268883 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.481287003 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.481364012 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:23.517539978 CEST49683443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:23.517594099 CEST49683443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:23.578279018 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.578300953 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.725044012 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.725066900 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.725083113 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.725100040 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.725116014 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.725131035 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.725147009 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.725167036 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.725186110 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:09:23.725208998 CEST49683443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:23.725244999 CEST49683443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:23.777213097 CEST49683443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:25.063285112 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:25.063342094 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:25.123919010 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:25.123980999 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:25.175136089 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:25.280019045 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:25.280054092 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:25.280073881 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:25.280092001 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:25.280133009 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:25.280145884 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:25.280165911 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:25.280169010 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:25.280189037 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:25.280217886 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:25.280247927 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:25.280266047 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:09:25.280294895 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:25.324054956 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:09:38.171716928 CEST4969920221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:38.220172882 CEST2022149699185.140.53.138192.168.2.7
                                            May 12, 2021 19:09:38.778301001 CEST4969920221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:38.826742887 CEST2022149699185.140.53.138192.168.2.7
                                            May 12, 2021 19:09:39.481555939 CEST4969920221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:39.529968977 CEST2022149699185.140.53.138192.168.2.7
                                            May 12, 2021 19:09:43.640548944 CEST4970820221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:43.690107107 CEST2022149708185.140.53.138192.168.2.7
                                            May 12, 2021 19:09:44.278798103 CEST4970820221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:44.328593969 CEST2022149708185.140.53.138192.168.2.7
                                            May 12, 2021 19:09:44.966310024 CEST4970820221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:45.014808893 CEST2022149708185.140.53.138192.168.2.7
                                            May 12, 2021 19:09:49.045957088 CEST4971420221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:49.094362974 CEST2022149714185.140.53.138192.168.2.7
                                            May 12, 2021 19:09:49.669847012 CEST4971420221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:49.718348980 CEST2022149714185.140.53.138192.168.2.7
                                            May 12, 2021 19:09:50.279330969 CEST4971420221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:50.328071117 CEST2022149714185.140.53.138192.168.2.7
                                            May 12, 2021 19:09:54.511395931 CEST4972020221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:54.560018063 CEST2022149720185.140.53.138192.168.2.7
                                            May 12, 2021 19:09:55.076503038 CEST4972020221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:55.126526117 CEST2022149720185.140.53.138192.168.2.7
                                            May 12, 2021 19:09:55.779757023 CEST4972020221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:55.828063011 CEST2022149720185.140.53.138192.168.2.7
                                            May 12, 2021 19:09:59.909446955 CEST4972320221192.168.2.7185.140.53.138
                                            May 12, 2021 19:09:59.959532022 CEST2022149723185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:00.467593908 CEST4972320221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:00.515872955 CEST2022149723185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:01.077081919 CEST4972320221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:01.125736952 CEST2022149723185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:06.200220108 CEST4972420221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:06.248963118 CEST2022149724185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:06.843153000 CEST4972420221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:06.893260002 CEST2022149724185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:07.452687979 CEST4972420221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:07.501183987 CEST2022149724185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:11.516349077 CEST4972520221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:11.564758062 CEST2022149725185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:12.077969074 CEST4972520221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:12.126341105 CEST2022149725185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:12.781121016 CEST4972520221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:12.829613924 CEST2022149725185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:16.845335960 CEST4972820221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:16.893838882 CEST2022149728185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:17.453416109 CEST4972820221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:17.503454924 CEST2022149728185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:18.156582117 CEST4972820221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:18.205081940 CEST2022149728185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:18.702632904 CEST804968093.184.220.29192.168.2.7
                                            May 12, 2021 19:10:18.702811956 CEST4968080192.168.2.793.184.220.29
                                            May 12, 2021 19:10:20.890388012 CEST804968293.184.220.29192.168.2.7
                                            May 12, 2021 19:10:20.890518904 CEST4968280192.168.2.793.184.220.29
                                            May 12, 2021 19:10:22.222621918 CEST4973120221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:22.270960093 CEST2022149731185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:22.781213999 CEST4973120221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:22.829581976 CEST2022149731185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:23.328953028 CEST4973120221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:23.377298117 CEST2022149731185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:27.485434055 CEST4973220221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:27.534389973 CEST2022149732185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:28.048145056 CEST4973220221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:28.096667051 CEST2022149732185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:28.610683918 CEST4973220221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:28.661541939 CEST2022149732185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:32.737581015 CEST4973320221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:32.785985947 CEST2022149733185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:33.298574924 CEST4973320221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:33.347167969 CEST2022149733185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:33.861105919 CEST4973320221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:33.909369946 CEST2022149733185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:37.993096113 CEST4973420221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:38.043669939 CEST2022149734185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:38.548906088 CEST4973420221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:38.597198009 CEST2022149734185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:39.111489058 CEST4973420221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:39.159869909 CEST2022149734185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:43.175612926 CEST4973520221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:43.224462032 CEST2022149735185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:43.736939907 CEST4973520221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:43.785460949 CEST2022149735185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:44.299360991 CEST4973520221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:44.347902060 CEST2022149735185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:48.363426924 CEST4973620221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:48.412561893 CEST2022149736185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:48.924748898 CEST4973620221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:48.973062992 CEST2022149736185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:49.487293005 CEST4973620221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:49.535598040 CEST2022149736185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:53.551474094 CEST4974020221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:53.599786997 CEST2022149740185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:54.112710953 CEST4974020221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:54.161263943 CEST2022149740185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:54.690862894 CEST4974020221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:54.739089012 CEST2022149740185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:58.850759029 CEST4974620221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:58.900712013 CEST2022149746185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:59.409986973 CEST4974620221192.168.2.7185.140.53.138
                                            May 12, 2021 19:10:59.458373070 CEST2022149746185.140.53.138192.168.2.7
                                            May 12, 2021 19:10:59.975234032 CEST4974620221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:00.023611069 CEST2022149746185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:04.098244905 CEST4974720221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:04.146548033 CEST2022149747185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:04.691725016 CEST4974720221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:04.741496086 CEST2022149747185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:05.394881010 CEST4974720221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:05.443197966 CEST2022149747185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:07.152595043 CEST49683443192.168.2.740.126.31.4
                                            May 12, 2021 19:11:07.152710915 CEST4968280192.168.2.793.184.220.29
                                            May 12, 2021 19:11:07.152719975 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:11:07.193311930 CEST804968293.184.220.29192.168.2.7
                                            May 12, 2021 19:11:07.193399906 CEST4968280192.168.2.793.184.220.29
                                            May 12, 2021 19:11:07.213260889 CEST4434967740.126.31.4192.168.2.7
                                            May 12, 2021 19:11:07.213371992 CEST49677443192.168.2.740.126.31.4
                                            May 12, 2021 19:11:07.213483095 CEST4434968340.126.31.4192.168.2.7
                                            May 12, 2021 19:11:07.213550091 CEST49683443192.168.2.740.126.31.4
                                            May 12, 2021 19:11:09.813436985 CEST4974820221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:09.861773968 CEST2022149748185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:10.381295919 CEST4974820221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:10.431746960 CEST2022149748185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:11.129765034 CEST4974820221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:11.178020954 CEST2022149748185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:15.194972038 CEST4974920221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:15.243237019 CEST2022149749185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:15.801959038 CEST4974920221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:15.850230932 CEST2022149749185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:16.505132914 CEST4974920221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:16.553453922 CEST2022149749185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:20.142524958 CEST804968093.184.220.29192.168.2.7
                                            May 12, 2021 19:11:20.142668009 CEST4968080192.168.2.793.184.220.29
                                            May 12, 2021 19:11:20.569139957 CEST4975820221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:20.617537022 CEST2022149758185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:21.130609035 CEST4975820221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:21.187669039 CEST2022149758185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:21.693063974 CEST4975820221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:21.741599083 CEST2022149758185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:25.757402897 CEST4976220221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:25.805797100 CEST2022149762185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:26.318454027 CEST4976220221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:26.367983103 CEST2022149762185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:26.881021976 CEST4976220221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:26.929436922 CEST2022149762185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:31.055226088 CEST4976320221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:31.105313063 CEST2022149763185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:31.647388935 CEST4976320221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:31.695698023 CEST2022149763185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:32.209665060 CEST4976320221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:32.258572102 CEST2022149763185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:32.971723080 CEST804968093.184.220.29192.168.2.7
                                            May 12, 2021 19:11:32.971844912 CEST4968080192.168.2.793.184.220.29
                                            May 12, 2021 19:11:36.332123995 CEST4976420221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:36.380331993 CEST2022149764185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:36.882271051 CEST4976420221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:36.930670023 CEST2022149764185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:37.444375992 CEST4976420221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:37.493633032 CEST2022149764185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:41.571355104 CEST4976520221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:41.619935036 CEST2022149765185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:42.132308960 CEST4976520221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:42.181401968 CEST2022149765185.140.53.138192.168.2.7
                                            May 12, 2021 19:11:42.694823027 CEST4976520221192.168.2.7185.140.53.138
                                            May 12, 2021 19:11:42.745182037 CEST2022149765185.140.53.138192.168.2.7

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 12, 2021 19:09:23.519428968 CEST5621753192.168.2.78.8.8.8
                                            May 12, 2021 19:09:23.580670118 CEST53562178.8.8.8192.168.2.7
                                            May 12, 2021 19:09:23.810734987 CEST6335453192.168.2.78.8.8.8
                                            May 12, 2021 19:09:23.874382019 CEST53633548.8.8.8192.168.2.7
                                            May 12, 2021 19:09:24.114198923 CEST5312953192.168.2.78.8.8.8
                                            May 12, 2021 19:09:24.165884972 CEST53531298.8.8.8192.168.2.7
                                            May 12, 2021 19:09:25.360261917 CEST6245253192.168.2.78.8.8.8
                                            May 12, 2021 19:09:25.409053087 CEST53624528.8.8.8192.168.2.7
                                            May 12, 2021 19:09:26.311340094 CEST5782053192.168.2.78.8.8.8
                                            May 12, 2021 19:09:26.335422039 CEST5084853192.168.2.78.8.8.8
                                            May 12, 2021 19:09:26.376713037 CEST53578208.8.8.8192.168.2.7
                                            May 12, 2021 19:09:26.384167910 CEST53508488.8.8.8192.168.2.7
                                            May 12, 2021 19:09:26.754836082 CEST6124253192.168.2.78.8.8.8
                                            May 12, 2021 19:09:26.814997911 CEST53612428.8.8.8192.168.2.7
                                            May 12, 2021 19:09:28.012442112 CEST5856253192.168.2.78.8.8.8
                                            May 12, 2021 19:09:28.061568975 CEST53585628.8.8.8192.168.2.7
                                            May 12, 2021 19:09:29.286885977 CEST5659053192.168.2.78.8.8.8
                                            May 12, 2021 19:09:29.335742950 CEST53565908.8.8.8192.168.2.7
                                            May 12, 2021 19:09:30.482445002 CEST6050153192.168.2.78.8.8.8
                                            May 12, 2021 19:09:30.534065008 CEST53605018.8.8.8192.168.2.7
                                            May 12, 2021 19:09:34.885289907 CEST5377553192.168.2.78.8.8.8
                                            May 12, 2021 19:09:34.937410116 CEST53537758.8.8.8192.168.2.7
                                            May 12, 2021 19:09:36.005516052 CEST5183753192.168.2.78.8.8.8
                                            May 12, 2021 19:09:36.057012081 CEST53518378.8.8.8192.168.2.7
                                            May 12, 2021 19:09:36.989403963 CEST5541153192.168.2.78.8.8.8
                                            May 12, 2021 19:09:37.038420916 CEST53554118.8.8.8192.168.2.7
                                            May 12, 2021 19:09:38.209544897 CEST6366853192.168.2.78.8.8.8
                                            May 12, 2021 19:09:38.259511948 CEST53636688.8.8.8192.168.2.7
                                            May 12, 2021 19:09:39.321352959 CEST5464053192.168.2.78.8.8.8
                                            May 12, 2021 19:09:39.371000051 CEST53546408.8.8.8192.168.2.7
                                            May 12, 2021 19:09:40.033440113 CEST5873953192.168.2.78.8.8.8
                                            May 12, 2021 19:09:40.095434904 CEST53587398.8.8.8192.168.2.7
                                            May 12, 2021 19:09:40.307174921 CEST6033853192.168.2.78.8.8.8
                                            May 12, 2021 19:09:40.356019020 CEST53603388.8.8.8192.168.2.7
                                            May 12, 2021 19:09:41.418868065 CEST5871753192.168.2.78.8.8.8
                                            May 12, 2021 19:09:41.469022036 CEST53587178.8.8.8192.168.2.7
                                            May 12, 2021 19:09:42.424104929 CEST5976253192.168.2.78.8.8.8
                                            May 12, 2021 19:09:42.475630999 CEST53597628.8.8.8192.168.2.7
                                            May 12, 2021 19:09:45.964047909 CEST5432953192.168.2.78.8.8.8
                                            May 12, 2021 19:09:46.026415110 CEST53543298.8.8.8192.168.2.7
                                            May 12, 2021 19:09:47.856292009 CEST5805253192.168.2.78.8.8.8
                                            May 12, 2021 19:09:47.920233965 CEST53580528.8.8.8192.168.2.7
                                            May 12, 2021 19:09:47.953670979 CEST5400853192.168.2.78.8.8.8
                                            May 12, 2021 19:09:48.003284931 CEST53540088.8.8.8192.168.2.7
                                            May 12, 2021 19:09:49.054560900 CEST5945153192.168.2.78.8.8.8
                                            May 12, 2021 19:09:49.103358030 CEST53594518.8.8.8192.168.2.7
                                            May 12, 2021 19:09:49.995851040 CEST5291453192.168.2.78.8.8.8
                                            May 12, 2021 19:09:50.046638012 CEST53529148.8.8.8192.168.2.7
                                            May 12, 2021 19:09:51.704722881 CEST6456953192.168.2.78.8.8.8
                                            May 12, 2021 19:09:51.756882906 CEST53645698.8.8.8192.168.2.7
                                            May 12, 2021 19:09:52.970551968 CEST5281653192.168.2.78.8.8.8
                                            May 12, 2021 19:09:53.019751072 CEST53528168.8.8.8192.168.2.7
                                            May 12, 2021 19:09:53.854290009 CEST5078153192.168.2.78.8.8.8
                                            May 12, 2021 19:09:53.903247118 CEST53507818.8.8.8192.168.2.7
                                            May 12, 2021 19:09:54.449297905 CEST5423053192.168.2.78.8.8.8
                                            May 12, 2021 19:09:54.508183956 CEST53542308.8.8.8192.168.2.7
                                            May 12, 2021 19:09:54.806654930 CEST5491153192.168.2.78.8.8.8
                                            May 12, 2021 19:09:54.856170893 CEST53549118.8.8.8192.168.2.7
                                            May 12, 2021 19:09:56.734750032 CEST4995853192.168.2.78.8.8.8
                                            May 12, 2021 19:09:56.785367966 CEST53499588.8.8.8192.168.2.7
                                            May 12, 2021 19:09:59.847589970 CEST5086053192.168.2.78.8.8.8
                                            May 12, 2021 19:09:59.906244993 CEST53508608.8.8.8192.168.2.7
                                            May 12, 2021 19:10:06.137185097 CEST5045253192.168.2.78.8.8.8
                                            May 12, 2021 19:10:06.198914051 CEST53504528.8.8.8192.168.2.7
                                            May 12, 2021 19:10:11.983949900 CEST5973053192.168.2.78.8.8.8
                                            May 12, 2021 19:10:12.041466951 CEST53597308.8.8.8192.168.2.7
                                            May 12, 2021 19:10:18.562263966 CEST5931053192.168.2.78.8.8.8
                                            May 12, 2021 19:10:18.625128984 CEST53593108.8.8.8192.168.2.7
                                            May 12, 2021 19:10:20.379787922 CEST5191953192.168.2.78.8.8.8
                                            May 12, 2021 19:10:20.438606977 CEST53519198.8.8.8192.168.2.7
                                            May 12, 2021 19:10:27.426090956 CEST6429653192.168.2.78.8.8.8
                                            May 12, 2021 19:10:27.483361959 CEST53642968.8.8.8192.168.2.7
                                            May 12, 2021 19:10:32.676578999 CEST5668053192.168.2.78.8.8.8
                                            May 12, 2021 19:10:32.736129999 CEST53566808.8.8.8192.168.2.7
                                            May 12, 2021 19:10:37.929197073 CEST5882053192.168.2.78.8.8.8
                                            May 12, 2021 19:10:37.989478111 CEST53588208.8.8.8192.168.2.7
                                            May 12, 2021 19:10:50.111529112 CEST6098353192.168.2.78.8.8.8
                                            May 12, 2021 19:10:50.174298048 CEST53609838.8.8.8192.168.2.7
                                            May 12, 2021 19:10:55.205688953 CEST4924753192.168.2.78.8.8.8
                                            May 12, 2021 19:10:55.275978088 CEST53492478.8.8.8192.168.2.7
                                            May 12, 2021 19:10:58.786215067 CEST5228653192.168.2.78.8.8.8
                                            May 12, 2021 19:10:58.849198103 CEST53522868.8.8.8192.168.2.7
                                            May 12, 2021 19:11:04.038754940 CEST5606453192.168.2.78.8.8.8
                                            May 12, 2021 19:11:04.096352100 CEST53560648.8.8.8192.168.2.7
                                            May 12, 2021 19:11:09.754262924 CEST6374453192.168.2.78.8.8.8
                                            May 12, 2021 19:11:09.809561014 CEST53637448.8.8.8192.168.2.7
                                            May 12, 2021 19:11:15.814275980 CEST6145753192.168.2.78.8.8.8
                                            May 12, 2021 19:11:15.913336039 CEST53614578.8.8.8192.168.2.7
                                            May 12, 2021 19:11:16.497555971 CEST5836753192.168.2.78.8.8.8
                                            May 12, 2021 19:11:16.557554007 CEST53583678.8.8.8192.168.2.7
                                            May 12, 2021 19:11:17.198498011 CEST6059953192.168.2.78.8.8.8
                                            May 12, 2021 19:11:17.255631924 CEST53605998.8.8.8192.168.2.7
                                            May 12, 2021 19:11:17.736108065 CEST5957153192.168.2.78.8.8.8
                                            May 12, 2021 19:11:17.742290974 CEST5268953192.168.2.78.8.8.8
                                            May 12, 2021 19:11:17.811340094 CEST53595718.8.8.8192.168.2.7
                                            May 12, 2021 19:11:17.867028952 CEST53526898.8.8.8192.168.2.7
                                            May 12, 2021 19:11:18.442326069 CEST5029053192.168.2.78.8.8.8
                                            May 12, 2021 19:11:18.504839897 CEST53502908.8.8.8192.168.2.7
                                            May 12, 2021 19:11:19.367453098 CEST6042753192.168.2.78.8.8.8
                                            May 12, 2021 19:11:19.432298899 CEST53604278.8.8.8192.168.2.7
                                            May 12, 2021 19:11:19.943841934 CEST5620953192.168.2.78.8.8.8
                                            May 12, 2021 19:11:20.002940893 CEST53562098.8.8.8192.168.2.7
                                            May 12, 2021 19:11:20.919472933 CEST5958253192.168.2.78.8.8.8
                                            May 12, 2021 19:11:20.978926897 CEST53595828.8.8.8192.168.2.7
                                            May 12, 2021 19:11:22.055633068 CEST6094953192.168.2.78.8.8.8
                                            May 12, 2021 19:11:22.104902029 CEST53609498.8.8.8192.168.2.7
                                            May 12, 2021 19:11:22.648665905 CEST5854253192.168.2.78.8.8.8
                                            May 12, 2021 19:11:22.708687067 CEST53585428.8.8.8192.168.2.7
                                            May 12, 2021 19:11:30.994379997 CEST5917953192.168.2.78.8.8.8
                                            May 12, 2021 19:11:31.053859949 CEST53591798.8.8.8192.168.2.7
                                            May 12, 2021 19:11:36.273329973 CEST6092753192.168.2.78.8.8.8
                                            May 12, 2021 19:11:36.331198931 CEST53609278.8.8.8192.168.2.7
                                            May 12, 2021 19:11:41.509563923 CEST5785453192.168.2.78.8.8.8
                                            May 12, 2021 19:11:41.569755077 CEST53578548.8.8.8192.168.2.7

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            May 12, 2021 19:09:23.810734987 CEST192.168.2.78.8.8.80x4ac4Standard query (0)clientconfig.passport.netA (IP address)IN (0x0001)
                                            May 12, 2021 19:09:54.449297905 CEST192.168.2.78.8.8.80x1750Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                            May 12, 2021 19:09:59.847589970 CEST192.168.2.78.8.8.80x8283Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                            May 12, 2021 19:10:06.137185097 CEST192.168.2.78.8.8.80xc9a2Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                            May 12, 2021 19:10:27.426090956 CEST192.168.2.78.8.8.80x6c9bStandard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                            May 12, 2021 19:10:32.676578999 CEST192.168.2.78.8.8.80xf3e3Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                            May 12, 2021 19:10:37.929197073 CEST192.168.2.78.8.8.80x73f8Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                            May 12, 2021 19:10:58.786215067 CEST192.168.2.78.8.8.80xaac1Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                            May 12, 2021 19:11:04.038754940 CEST192.168.2.78.8.8.80x4099Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                            May 12, 2021 19:11:09.754262924 CEST192.168.2.78.8.8.80xb7bfStandard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                            May 12, 2021 19:11:30.994379997 CEST192.168.2.78.8.8.80xd530Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                            May 12, 2021 19:11:36.273329973 CEST192.168.2.78.8.8.80xb88eStandard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)
                                            May 12, 2021 19:11:41.509563923 CEST192.168.2.78.8.8.80x8659Standard query (0)wealth2021.ddns.netA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            May 12, 2021 19:09:23.874382019 CEST8.8.8.8192.168.2.70x4ac4No error (0)clientconfig.passport.netauthgfx.msa.akadns6.netCNAME (Canonical name)IN (0x0001)
                                            May 12, 2021 19:09:24.165884972 CEST8.8.8.8192.168.2.70x42ccNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                            May 12, 2021 19:09:54.508183956 CEST8.8.8.8192.168.2.70x1750No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                            May 12, 2021 19:09:59.906244993 CEST8.8.8.8192.168.2.70x8283No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                            May 12, 2021 19:10:06.198914051 CEST8.8.8.8192.168.2.70xc9a2No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                            May 12, 2021 19:10:27.483361959 CEST8.8.8.8192.168.2.70x6c9bNo error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                            May 12, 2021 19:10:32.736129999 CEST8.8.8.8192.168.2.70xf3e3No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                            May 12, 2021 19:10:37.989478111 CEST8.8.8.8192.168.2.70x73f8No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                            May 12, 2021 19:10:58.849198103 CEST8.8.8.8192.168.2.70xaac1No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                            May 12, 2021 19:11:04.096352100 CEST8.8.8.8192.168.2.70x4099No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                            May 12, 2021 19:11:09.809561014 CEST8.8.8.8192.168.2.70xb7bfNo error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                            May 12, 2021 19:11:31.053859949 CEST8.8.8.8192.168.2.70xd530No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                            May 12, 2021 19:11:36.331198931 CEST8.8.8.8192.168.2.70xb88eNo error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                            May 12, 2021 19:11:41.569755077 CEST8.8.8.8192.168.2.70x8659No error (0)wealth2021.ddns.net185.140.53.138A (IP address)IN (0x0001)

                                            Code Manipulations

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Start time:19:09:28
                                            Start date:12/05/2021
                                            Path:C:\Users\user\Desktop\Quotation_Order.pdf.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\Quotation_Order.pdf.exe'
                                            Imagebase:0xb20000
                                            File size:845312 bytes
                                            MD5 hash:9EC5D09C8ADEFBF30598A5BD5F8D826E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.242494583.0000000003EB9000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.242494583.0000000003EB9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.242494583.0000000003EB9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.242066967.0000000002EB1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.242708300.0000000004005000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.242708300.0000000004005000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.242708300.0000000004005000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:low

                                            General

                                            Start time:19:09:33
                                            Start date:12/05/2021
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NzjsARuyfeoDS' /XML 'C:\Users\user\AppData\Local\Temp\tmpAE98.tmp'
                                            Imagebase:0xef0000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:19:09:33
                                            Start date:12/05/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff774ee0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:19:09:34
                                            Start date:12/05/2021
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                            Imagebase:0xcc0000
                                            File size:261728 bytes
                                            MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.505268694.00000000056C0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.505268694.00000000056C0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.505644430.00000000058D0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.501077048.00000000031A1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.504649374.00000000041E9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.504649374.00000000041E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.495341010.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.495341010.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.495341010.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                            Reputation:moderate

                                            Disassembly

                                            Code Analysis

                                            Reset < >

                                              Executed Functions

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: rz6Z
                                              • API String ID: 0-3149296402
                                              • Opcode ID: d3bcb854a30ad835be547aa03cde3bb728cae5e4c4c2a97ba165c0441e83a1c8
                                              • Instruction ID: d835515b48575572360094f3c32a2fdd599c5fd77a4f10d4cd285eb14a5f86fa
                                              • Opcode Fuzzy Hash: d3bcb854a30ad835be547aa03cde3bb728cae5e4c4c2a97ba165c0441e83a1c8
                                              • Instruction Fuzzy Hash: 5C813374E15209DFCB48DFE5D9945EEBBB2FF88300F14942AD816AB364EB3469128F50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: rz6Z
                                              • API String ID: 0-3149296402
                                              • Opcode ID: 7627d21669f1886d2145a27d6098e79bb23ba8e3c1593549a90f53d94d01a10b
                                              • Instruction ID: 7e5059bd040f5964dcf3ca2f25ec11f769c4a191b6257fdbaab46077829e890e
                                              • Opcode Fuzzy Hash: 7627d21669f1886d2145a27d6098e79bb23ba8e3c1593549a90f53d94d01a10b
                                              • Instruction Fuzzy Hash: 3A812374E15209DFCB48DFE5D9945EEBBB2FF88300F10952AD816AB364EB3469128F50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: k(B
                                              • API String ID: 0-2884051701
                                              • Opcode ID: 9de0b9d0993a02c6d7741a527bc439cd1034635dd9964adeae314b26da141372
                                              • Instruction ID: f46413ec4fae1e222738c13e212f33dbc822c3cbfde5f65445df866fa3af0d0a
                                              • Opcode Fuzzy Hash: 9de0b9d0993a02c6d7741a527bc439cd1034635dd9964adeae314b26da141372
                                              • Instruction Fuzzy Hash: 6F516D71E15218DFDB08CFA9EA455DDFBF7BB8D210F14A52AD805F7254DB3498028B28
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: k(B
                                              • API String ID: 0-2884051701
                                              • Opcode ID: 93f175c943782a80be2bd2376eb284ca0341c2dc6838d54d00ad61e868a0471e
                                              • Instruction ID: c1d69f529b4a07549dd7099c50dcd50d135ed74761bd5ecfd11586936a2fe1cb
                                              • Opcode Fuzzy Hash: 93f175c943782a80be2bd2376eb284ca0341c2dc6838d54d00ad61e868a0471e
                                              • Instruction Fuzzy Hash: F3413B70E15218DBDB08CFA5DA455DDFBF7BB8D201F14E42AE905B7254EB34A8028B18
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 311f3afc3988986813cb762367984fb859147d33b2f65ae033bcdeb34bf045db
                                              • Instruction ID: e80394c05d29579460a64d00c2c45f9d5a3c11436bd8e3dafb19f48720a8261a
                                              • Opcode Fuzzy Hash: 311f3afc3988986813cb762367984fb859147d33b2f65ae033bcdeb34bf045db
                                              • Instruction Fuzzy Hash: CCE1DE71B013458FEB25EB75C660BAEB7FABF89709F14446ED0458B290CB35E806CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 46c24a8de41f6bf65d0ef5b49d81286940439f76314db94b5834f85aedc3e89a
                                              • Instruction ID: aca84caab7e745a6962a973fa25d5fb86fd213d040137a4224a09ed7f86b2495
                                              • Opcode Fuzzy Hash: 46c24a8de41f6bf65d0ef5b49d81286940439f76314db94b5834f85aedc3e89a
                                              • Instruction Fuzzy Hash: 76D10774E112189FDB08DFA4DA55BEDBBF6FB89300F209429E405B7394DB74A942CB14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: db99922e887508d92f3b212e82d46ea4243d914947db95a83e67438a7f153db1
                                              • Instruction ID: 73e06c591c996513007dcf89c183e6c258218e1b5a30744256bfd0078f706195
                                              • Opcode Fuzzy Hash: db99922e887508d92f3b212e82d46ea4243d914947db95a83e67438a7f153db1
                                              • Instruction Fuzzy Hash: 81D10774E152189FDB08CFA4DA55BEDBBF6FB89300F209429E405BB394DB74A942CB14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 15d4a09a52fe8152531d4ea6d1794f3ddeedae5291aa4737a12fb2bad92d0954
                                              • Instruction ID: 21a6fd8c3f6e088cef9efecac958dad22f34166d074e57956bb63921d8d12b11
                                              • Opcode Fuzzy Hash: 15d4a09a52fe8152531d4ea6d1794f3ddeedae5291aa4737a12fb2bad92d0954
                                              • Instruction Fuzzy Hash: F0913974E1921ADFCB18CFA6E6805EDFBB2BB89310F14A52AE415B7254E334A542CF14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a50c0e556808437a70114442751e4388613688b410fd0bd1cb55ff06b6c821c3
                                              • Instruction ID: 750aebf0dd40e99513cdcb94eed0c2c26fead3842596e630f83b6b9e188d4408
                                              • Opcode Fuzzy Hash: a50c0e556808437a70114442751e4388613688b410fd0bd1cb55ff06b6c821c3
                                              • Instruction Fuzzy Hash: 7931AD70E152188BCB08CFA5DA415EDFBF2EB8D300F10E96AD445B3254EB39A9168F24
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f7604f8ab00c57fb79336b476c50fcf1c0ce54314451134114ffd24635c9220e
                                              • Instruction ID: 95619b15c0fd0f3935c1c1c1de1ed4daca1f37a0974682463397f3d098438152
                                              • Opcode Fuzzy Hash: f7604f8ab00c57fb79336b476c50fcf1c0ce54314451134114ffd24635c9220e
                                              • Instruction Fuzzy Hash: 3E317070E15218CBCB08CFA5DA405EEFBF6EB8D310F10E56AD445B7254EB39A8118F64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 40ee562412646a42c2cdaca9a66c74cd0dacad82bf69c99ece324c28927091c8
                                              • Instruction ID: 789b7e12d0d163dac198fc13ea77a88fe4694b0b5bc6f5df7a6cb8345e566c8c
                                              • Opcode Fuzzy Hash: 40ee562412646a42c2cdaca9a66c74cd0dacad82bf69c99ece324c28927091c8
                                              • Instruction Fuzzy Hash: 4F116A70D00228CBCB15DFA8C6487FDBBF0BB0A316F14706AD496B7291C7389946DB64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5bb5ce774518ae75b343cee2d05f19045f9027ce02c31ca6a8269fdb4c913465
                                              • Instruction ID: 4a7d4f66f7d9a3878ae0db5f0e419a0d5953e1caaf99f7b19a2b25c2c0b4d66f
                                              • Opcode Fuzzy Hash: 5bb5ce774518ae75b343cee2d05f19045f9027ce02c31ca6a8269fdb4c913465
                                              • Instruction Fuzzy Hash: F6115E30D042588FCB149FA9C6187FDBAF0BB4E306F14B06AD445B3291D7349944DBA8
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c4a424f4bb0a56303bd06dd4a2febf1b20691640968c99ff393273337fe7ea1d
                                              • Instruction ID: 5bc2526d0f33d4877c904b903def6deb7f8adb60946fc211de0a8cfd7efad33d
                                              • Opcode Fuzzy Hash: c4a424f4bb0a56303bd06dd4a2febf1b20691640968c99ff393273337fe7ea1d
                                              • Instruction Fuzzy Hash: DFE09B519493598BC7115FA48B545F9BFB0BB07242F44704EC041B7191D668A50797A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 01566BF8
                                              • GetCurrentThread.KERNEL32 ref: 01566C35
                                              • GetCurrentProcess.KERNEL32 ref: 01566C72
                                              • GetCurrentThreadId.KERNEL32 ref: 01566CCB
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: eea887ed57e850691013f4bbbf22193abecfd21178e6c48b87f15af059bd3ff2
                                              • Instruction ID: dd399ebb1d35f01560895951eb07206aae72225b4931060ba0a0cbb2ec37fccb
                                              • Opcode Fuzzy Hash: eea887ed57e850691013f4bbbf22193abecfd21178e6c48b87f15af059bd3ff2
                                              • Instruction Fuzzy Hash: 865134B4904649CFDB24CFA9D988BAEBBF0FB88304F108459E419AB391D7745845CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 01566BF8
                                              • GetCurrentThread.KERNEL32 ref: 01566C35
                                              • GetCurrentProcess.KERNEL32 ref: 01566C72
                                              • GetCurrentThreadId.KERNEL32 ref: 01566CCB
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: cc6deb59c2a1f25b34aab3dd6b96bc5fb33755c8ffe7350f7607f4cf68887d61
                                              • Instruction ID: 1df45bae22bbc307f6537d6bc1b5662c963323cdb4f27091ae33d506bec67215
                                              • Opcode Fuzzy Hash: cc6deb59c2a1f25b34aab3dd6b96bc5fb33755c8ffe7350f7607f4cf68887d61
                                              • Instruction Fuzzy Hash: B95156B4904649CFDB24CFA9C588BEEBBF4FB48304F108419E419AB390D7746844CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04EC2A3E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: c92407e7df707e7a2203add2499dcf0670c32a47bed09ee6d64cdda9df6bb807
                                              • Instruction ID: 06ad13a66c500fe905d12d838fff64ff674de697cecb3ded80ab330a4a22d5d6
                                              • Opcode Fuzzy Hash: c92407e7df707e7a2203add2499dcf0670c32a47bed09ee6d64cdda9df6bb807
                                              • Instruction Fuzzy Hash: 26A17071D00219DFEF24CF69D9807DDBBB2BF48318F0485A9E949A7240DB74A986CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04EC2A3E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 98426c5629795da5328a7e62d68e1d064c2badedb6be4c238a10ac7eb7be54d2
                                              • Instruction ID: 58f441f9095d6c95c85083d7611212ebc2d3344cdf57756d824e2b8dc4b3feab
                                              • Opcode Fuzzy Hash: 98426c5629795da5328a7e62d68e1d064c2badedb6be4c238a10ac7eb7be54d2
                                              • Instruction Fuzzy Hash: B5917F71D00219DFEF20CF65D9407EDBBB2BF48318F0485A9D949A7240DB74A986CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0156BE0E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 499bfe69e9a836414e47c7632ebbf5ccaccb4722e76a534e2f52e7a53de95445
                                              • Instruction ID: 3530f4d0df56751a1aa275c73b490a896a063d826aeca47140899e3328fe3745
                                              • Opcode Fuzzy Hash: 499bfe69e9a836414e47c7632ebbf5ccaccb4722e76a534e2f52e7a53de95445
                                              • Instruction Fuzzy Hash: B3814570A00B068FEB24DF2AD04076ABBF5FF88204F00892ED596DBA40DB35E9458F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0156DD8A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: f9744060f5c14951b03e1838dfdc9d25a06aee784cd900c4d3a9c06938366ced
                                              • Instruction ID: dc3c09a764825be4576a322e387f507e265c762af8a7c9c1ae73a11507d02038
                                              • Opcode Fuzzy Hash: f9744060f5c14951b03e1838dfdc9d25a06aee784cd900c4d3a9c06938366ced
                                              • Instruction Fuzzy Hash: 5451AFB1D00309DFDB14DFE9C984ADEBBB5BF48314F24852AE819AB250D7749985CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0156DD8A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: ce8363c8c0b97656def675046fc30c9f247d5c8da0771cddc29b3ebfa6aa3183
                                              • Instruction ID: 940a5150ab4b88c9478362afb20910383139697553a2ffcd18a766d0c55c6baa
                                              • Opcode Fuzzy Hash: ce8363c8c0b97656def675046fc30c9f247d5c8da0771cddc29b3ebfa6aa3183
                                              • Instruction Fuzzy Hash: B841AFB1D00309EFDB14DF9AC884ADEBFB5BF88314F24852AE819AB250D7759945CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01566E47
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: a4ab06c56a9f3ad31304efe92ad0aa39f2ffd2d31d0f31748034a7a70c4c66ec
                                              • Instruction ID: 8523ff90d4ed1b280009eb1960f2153cc539ea37f1d38474d0bbdc96cf2da37b
                                              • Opcode Fuzzy Hash: a4ab06c56a9f3ad31304efe92ad0aa39f2ffd2d31d0f31748034a7a70c4c66ec
                                              • Instruction Fuzzy Hash: 11414976900249AFCB01CFA9D844AEEBFF9FB88310F15801AE954A7250D3759955DFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04EC2610
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 3fd17adba912be1609efe7610794dab90cd869e4651fc03bd8dc8891f3e131cb
                                              • Instruction ID: 456f860a6988df4c3f90046ffea6f946954583a1e61f7dabb6d356da10a016e0
                                              • Opcode Fuzzy Hash: 3fd17adba912be1609efe7610794dab90cd869e4651fc03bd8dc8891f3e131cb
                                              • Instruction Fuzzy Hash: 352126B5D003199FCB10CFA9C9847EEBBB1FF48314F50882AE959A7641D778A945CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04EC2610
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 272f6edeab409202cae78573b438d2c46ca2bdcaa742b10d8eee3a7a18fbd43d
                                              • Instruction ID: 81c80c44ab0a4054ac3c9f770e05332af86c603ac1345950e052589affea65e2
                                              • Opcode Fuzzy Hash: 272f6edeab409202cae78573b438d2c46ca2bdcaa742b10d8eee3a7a18fbd43d
                                              • Instruction Fuzzy Hash: 47212671D003599FCB10CFA9C984BEEBBF5FF88314F10842AE919A7240D778A945CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01566E47
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 1b1f1140a6dbdd4e9c9a9953bb3c04837030572fb998756cd7a1711e3f87084b
                                              • Instruction ID: 0a55c15b2c6e9a2407827cee6e3449e63488dc13d364f91e5d93ff727ad5a03a
                                              • Opcode Fuzzy Hash: 1b1f1140a6dbdd4e9c9a9953bb3c04837030572fb998756cd7a1711e3f87084b
                                              • Instruction Fuzzy Hash: CD21D2B5901208DFDB10CFAAD984AEEBBF4FB48324F14841AE915A7250D378A955CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04EC26F0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 0edbf67f91800ee76511566f5d30df6ded5bd264471b74d34a1a4ecd865d53c9
                                              • Instruction ID: 8e1984ffd778bae322f4a53e222020aa3e6df844d25e6f5a82cf5b42a2db10c7
                                              • Opcode Fuzzy Hash: 0edbf67f91800ee76511566f5d30df6ded5bd264471b74d34a1a4ecd865d53c9
                                              • Instruction Fuzzy Hash: CD2125B1D003599FCB10CFA9C9807EEBBB0FF48314F51842AD919A7640D73899458BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 04EC2466
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: ContextThread
                                              • String ID:
                                              • API String ID: 1591575202-0
                                              • Opcode ID: 316e6e383cc56691b54b57771059b582963c31ca6139903e2c06ce2a1dd090fb
                                              • Instruction ID: fae6481a38fe9ad30a252f16be3a4658bfd17f4a0cb49c4a476a57dd496ea041
                                              • Opcode Fuzzy Hash: 316e6e383cc56691b54b57771059b582963c31ca6139903e2c06ce2a1dd090fb
                                              • Instruction Fuzzy Hash: A0216871D043098FCB10CFA9C9847EEBBF0AF88318F55842AD959B7640DB78A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04EC26F0
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 9f042f0f8d3d48d13521480e716c0723e5a8b6fc7f18d800d8200855e48aeeb1
                                              • Instruction ID: 7576f7715513781cd0e1a234042a15d846f5a388f598c89cb284e2d3131ceda3
                                              • Opcode Fuzzy Hash: 9f042f0f8d3d48d13521480e716c0723e5a8b6fc7f18d800d8200855e48aeeb1
                                              • Instruction Fuzzy Hash: 9E211671D043599FCB10CFAAC884BEEBBB5FF88314F51842AE919A7240D774A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • SetThreadContext.KERNELBASE(?,00000000), ref: 04EC2466
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: ContextThread
                                              • String ID:
                                              • API String ID: 1591575202-0
                                              • Opcode ID: 9d8c6f65a26e82eebc36374c148be8e34f5c33c388b6653bd7e069ce0b4b3523
                                              • Instruction ID: 5e6b622c4a88cc553f42194b81935685fd3e782669cfb8c63f457136388b99f1
                                              • Opcode Fuzzy Hash: 9d8c6f65a26e82eebc36374c148be8e34f5c33c388b6653bd7e069ce0b4b3523
                                              • Instruction Fuzzy Hash: 9D213771D043098FCB10DFAAC5847EEBBF4AB88354F55842AD919A7240DB78A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01566E47
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 70db5afd4a6c0661513c583811dfc9f588b6ae500d35339dca5b92411ed4059b
                                              • Instruction ID: 69f6691cf78b4b3d139e6f866b13f6645faccb8b6568ba38aa7ffc729f9d6b63
                                              • Opcode Fuzzy Hash: 70db5afd4a6c0661513c583811dfc9f588b6ae500d35339dca5b92411ed4059b
                                              • Instruction Fuzzy Hash: 9321D5B5900248DFDB10CFAAD984AEEBFF8FB48364F14841AE914A7350D374A954CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0156BE89,00000800,00000000,00000000), ref: 0156C09A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: dedceab868988d0235038808e7145f6c546b99bcac2a58d24bb196b90531aa18
                                              • Instruction ID: d99a34c000209eb64c3353eb76590f969dbbee0c8e06dae35d14de70ecb32d41
                                              • Opcode Fuzzy Hash: dedceab868988d0235038808e7145f6c546b99bcac2a58d24bb196b90531aa18
                                              • Instruction Fuzzy Hash: B41136B29042088FCB10CF9AC444BDEBBF8FB89364F00841AD955AB200C375A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0156BE89,00000800,00000000,00000000), ref: 0156C09A
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 0edb2181b495c75702d500a32eda12bc3c9b48783890cf658de97e1a18f219b6
                                              • Instruction ID: 7241efe58f5e732c2facc76e03fd7fede13570ef8a7f6dd1c340ce9ba8746b4f
                                              • Opcode Fuzzy Hash: 0edb2181b495c75702d500a32eda12bc3c9b48783890cf658de97e1a18f219b6
                                              • Instruction Fuzzy Hash: 8E21F4B69002098FDB10CFAAD444BEEFBF4EB89364F11851ED955AB200C375A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04EC252E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 5e71388ea26ffe8bc4b3e918cda9317c24907e9af197e5a951b685cc1e337a2e
                                              • Instruction ID: 7016e29211f00b59756c61eb0d50954c373405f4ced3639be8500c88585cedd3
                                              • Opcode Fuzzy Hash: 5e71388ea26ffe8bc4b3e918cda9317c24907e9af197e5a951b685cc1e337a2e
                                              • Instruction Fuzzy Hash: 10118672D042088FCF10CFA9C9447EFBBF1AF88314F14881AD915A7250C774A901CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04EC252E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 2cdfca57e5936398b12e6d5884fd7ca6290d2f9ab5a8aaf53ad82a75a158e70b
                                              • Instruction ID: 889fc2d894bc210ee02a7cd5f2aa9b9580cc5c9725747a95b983cb32636f50ad
                                              • Opcode Fuzzy Hash: 2cdfca57e5936398b12e6d5884fd7ca6290d2f9ab5a8aaf53ad82a75a158e70b
                                              • Instruction Fuzzy Hash: 2E115672D043489BCB10CFAAC844BEFBBF5AB88324F14841AD915A7250C775A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 04EC9468
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: 080dba35b5f1f36101bdbcf9f058e9a1a000ec35b59e824d6258edf71cca2ddd
                                              • Instruction ID: 226ab991839f4844ea4a346e74f54cb100d17b43000287bedee7030b8b2426e6
                                              • Opcode Fuzzy Hash: 080dba35b5f1f36101bdbcf9f058e9a1a000ec35b59e824d6258edf71cca2ddd
                                              • Instruction Fuzzy Hash: CE1133B6804619CFCB10CF99C985BEEBBF4EF48324F14851AD959A7740D338A946CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 92d72f7c0537f8b851fca6a800f1bb2bd4a059a4a368328f14762f87998c3579
                                              • Instruction ID: 9b2e29e3015b24e2b112a785033c7a0ba52f58f6716737f30bd1c5a4ff757561
                                              • Opcode Fuzzy Hash: 92d72f7c0537f8b851fca6a800f1bb2bd4a059a4a368328f14762f87998c3579
                                              • Instruction Fuzzy Hash: 04113A71D043498BCB10DFAAC8447EFFBF4AB88324F15881AC515A7640DB75A945CFE5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: c47af968db049175ea87eda11b01057ad560ee32e8fff65639be1bc8606b17b7
                                              • Instruction ID: 2800b69148c0a374bb5145cff3174caf1a73e64c8b20dd1818a9ac09adebaf7a
                                              • Opcode Fuzzy Hash: c47af968db049175ea87eda11b01057ad560ee32e8fff65639be1bc8606b17b7
                                              • Instruction Fuzzy Hash: 261128B1D043598BCB10DFA9C9447EEBBF4AF88318F15881AC515B7740DB74A9458FE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0156BE0E
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 44ddd972d26acd3f19aa659e865222a52f4351aea59d6a8b1c0ad5179879b75a
                                              • Instruction ID: a4dd969b0be32110d27bbed6b758b62263a9de6564f284bfd9371665a4363a20
                                              • Opcode Fuzzy Hash: 44ddd972d26acd3f19aa659e865222a52f4351aea59d6a8b1c0ad5179879b75a
                                              • Instruction Fuzzy Hash: 361110B6D002498FDB10CF9AC844BDEFBF8EB88324F10841AD919AB200D374A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 04EC9468
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: 1f2f11d1947232437acc25f8723e147b019acdacbeca483f07477941d32aea0c
                                              • Instruction ID: 0dfd4f4aaf35dcc90f16c15173a58535a76d3d7a7afb07009ce6497f0331c5ae
                                              • Opcode Fuzzy Hash: 1f2f11d1947232437acc25f8723e147b019acdacbeca483f07477941d32aea0c
                                              • Instruction Fuzzy Hash: 1D1145B1804309CFCB10CF9AC584BEEBBF4EB88324F10841AD959A7340D778A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 04EC7D35
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: b1d85c6269a7ca416eb3c5dc85ffec164d425424c40be1dd24714cd8061f9716
                                              • Instruction ID: ea22de70aadf4bcbac677f6f8161d986587843478d078aa50ea1afe3b6ae2526
                                              • Opcode Fuzzy Hash: b1d85c6269a7ca416eb3c5dc85ffec164d425424c40be1dd24714cd8061f9716
                                              • Instruction Fuzzy Hash: B21106B580024ACFDB10CF99C584BEEFFF4EB58324F10841AE854A7600C375A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • SetWindowLongW.USER32(?,?,?), ref: 0156DF1D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: LongWindow
                                              • String ID:
                                              • API String ID: 1378638983-0
                                              • Opcode ID: 6b6c632806e1e30cb5dd3963654113d26b614be55467b7d8a9756f62bb6a6e38
                                              • Instruction ID: 01e475d8f80cf3f8e9283628fcfaa8529fdf5179af03409bb7e15a21c3b2fd17
                                              • Opcode Fuzzy Hash: 6b6c632806e1e30cb5dd3963654113d26b614be55467b7d8a9756f62bb6a6e38
                                              • Instruction Fuzzy Hash: 651103B59002088FDB10CF9AD884BDEFBF8EB88324F10841AD955A7340C374A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • SetWindowLongW.USER32(?,?,?), ref: 0156DF1D
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID: LongWindow
                                              • String ID:
                                              • API String ID: 1378638983-0
                                              • Opcode ID: 5a3eb790b66e06791c8f29ae53cd9c797b1d2a72f2df80b18b427460a9a4f1bd
                                              • Instruction ID: 89b45848945849c6d0414ef003c1f249dc18fbadb545445535b501f3fa14a64d
                                              • Opcode Fuzzy Hash: 5a3eb790b66e06791c8f29ae53cd9c797b1d2a72f2df80b18b427460a9a4f1bd
                                              • Instruction Fuzzy Hash: 7011F2B6900209CFDB10CF99D584BEEBBF8EB48324F15880AD955A7640C378A9458FA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 04EC7D35
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 1433fcc2cb7abfa7ac042d8b449911b960c940a73ddf7728acfde00cbbe26e9e
                                              • Instruction ID: 154a21d94e5db4bd8844d5faa80c506e0ac950b570253fe2c97fbfa80ec60c8d
                                              • Opcode Fuzzy Hash: 1433fcc2cb7abfa7ac042d8b449911b960c940a73ddf7728acfde00cbbe26e9e
                                              • Instruction Fuzzy Hash: 8111D3B58003499FDB10CF9AD985BEEBFF8EB48324F10841AE915A7640D375A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241805619.00000000013AD000.00000040.00000001.sdmp, Offset: 013AD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 537d3fe610876a8a4faae1f7917fa5871e65e6d155293ba26de8c8f4d4196965
                                              • Instruction ID: 3cc60bd8e2a3fce3433bc3326314d94b94d3185c8a2f2b228d59b5f838147e55
                                              • Opcode Fuzzy Hash: 537d3fe610876a8a4faae1f7917fa5871e65e6d155293ba26de8c8f4d4196965
                                              • Instruction Fuzzy Hash: 902167B1504344DFDB05CF84D8C0B26BFA5FB8832CF248569E9494BA46C33AD846CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241840725.00000000013BD000.00000040.00000001.sdmp, Offset: 013BD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 015d129e02e175d8e7a6dd3b18408a365efec1bcc17a842a726f051d5ff18d33
                                              • Instruction ID: 983b044b9e1020601af2bc171e9638cb5bfb4e64f248b751ba56698dccf2f39f
                                              • Opcode Fuzzy Hash: 015d129e02e175d8e7a6dd3b18408a365efec1bcc17a842a726f051d5ff18d33
                                              • Instruction Fuzzy Hash: 02216770608344DFDB14CF54D8C0B62BB65FB8835CF20C56DDA094BA46D33AD807CA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241840725.00000000013BD000.00000040.00000001.sdmp, Offset: 013BD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c87a02401ded2ee0edcda8a96d72471b40471fe4afb12eaac0dd8a590efc14f2
                                              • Instruction ID: 7a3ac5c7233d8bf0d0c3e0e7625b2ed7084eb247084650e57231596d906242db
                                              • Opcode Fuzzy Hash: c87a02401ded2ee0edcda8a96d72471b40471fe4afb12eaac0dd8a590efc14f2
                                              • Instruction Fuzzy Hash: 66218075508380DFCB02CF24D9D4B11BF71EB46218F28C5DAD9498F6A7D33A9856CB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241805619.00000000013AD000.00000040.00000001.sdmp, Offset: 013AD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4e0ce4394a271259760c2c660e1cb6f29709190ae4859f5a8d1e8115099c26a4
                                              • Instruction ID: 00f8a029603bf936a5ff9d33f3e736e184a1057d3e0821c85ebc4fbeaea0c7a8
                                              • Opcode Fuzzy Hash: 4e0ce4394a271259760c2c660e1cb6f29709190ae4859f5a8d1e8115099c26a4
                                              • Instruction Fuzzy Hash: B911B176504280CFCB16CF54D5C4B16BF71FB84328F2486A9D8454B656C33AD456CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241805619.00000000013AD000.00000040.00000001.sdmp, Offset: 013AD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 600cec926a3763143fa040780ef9e864b6e9e1e8d85a811e9530fe32d889a664
                                              • Instruction ID: cb15f6495e248eebfcf4615d64b546d56827b1ce4d1083c6e9b8715e0588f464
                                              • Opcode Fuzzy Hash: 600cec926a3763143fa040780ef9e864b6e9e1e8d85a811e9530fe32d889a664
                                              • Instruction Fuzzy Hash: F001F7710083849AE7244E6ACC84766BFDCEF41278F48C51AEE055AA86C37A9840C6B1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241805619.00000000013AD000.00000040.00000001.sdmp, Offset: 013AD000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ca70c8ab3e229ae4a30cb5784e785a3c9243d5dbfbf454420f0fb8c5b84f8202
                                              • Instruction ID: b1556af3891d8cb9f51e50ce09bf1be7a774c6e5ad439d7c49f8b3007904a23d
                                              • Opcode Fuzzy Hash: ca70c8ab3e229ae4a30cb5784e785a3c9243d5dbfbf454420f0fb8c5b84f8202
                                              • Instruction Fuzzy Hash: B1F09C714043849EE7158E1ADCC4763FFA8EF81634F18C45AED045B787C3765844CAB1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: Ra}
                                              • API String ID: 0-372616399
                                              • Opcode ID: de1220890cdc6f18e8f0ad3ee8757620f0ed7d35a087c65a33a609cda5d1ef44
                                              • Instruction ID: 6d254aad899ce154784b12422b7231d1d3d2d70f3ad5a960e5541bd565f3b6cd
                                              • Opcode Fuzzy Hash: de1220890cdc6f18e8f0ad3ee8757620f0ed7d35a087c65a33a609cda5d1ef44
                                              • Instruction Fuzzy Hash: 94513771E1166ACBDB24CF65C940BDDB7B2FF88301F1495EAD11AA2614E770AAC68F40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9b87856612843afc9a663e221621ba94e1d54be331743fe7608932e35caf0f3f
                                              • Instruction ID: 60b82e4352c0b3a7bb95c1eb44a4677aaece9cb9c09d4cdf18b567d25e5584d4
                                              • Opcode Fuzzy Hash: 9b87856612843afc9a663e221621ba94e1d54be331743fe7608932e35caf0f3f
                                              • Instruction Fuzzy Hash: 64525AB15207068BD720CF14E4C819DBBB1FB4531AB926218D2B27F6D9E3B4654EEF84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.241917357.0000000001560000.00000040.00000001.sdmp, Offset: 01560000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c3e88ae24ddde0b214437a1644dcc0bec248d32acc840e15a5316fd887e6419a
                                              • Instruction ID: 62cc3335f0a449f659c9c6f8adaaa09d869e77feceeb41a34b530a97af40e655
                                              • Opcode Fuzzy Hash: c3e88ae24ddde0b214437a1644dcc0bec248d32acc840e15a5316fd887e6419a
                                              • Instruction Fuzzy Hash: 4BA14D32F0061A8FCF15DFA5C84459EBBBAFF85301B15856AE905BF225EB31A945CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 70b2486ec2442c51325266dfadb43ff056a2f946a0e14f86ae436f8f0eb7a77b
                                              • Instruction ID: 3bb198b5b349f970835fd7c81a689ce96b24b2c1ff20b18921e62b4d9664f235
                                              • Opcode Fuzzy Hash: 70b2486ec2442c51325266dfadb43ff056a2f946a0e14f86ae436f8f0eb7a77b
                                              • Instruction Fuzzy Hash: 6DA1F974E04219DFDB08CFE6D5814EEFBF2EF89300F20942AD415AB254E734AA428F94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d3b16e71d0d6cdee6a48f0e05700e2851c4e915909382b6351519f33a9366e15
                                              • Instruction ID: b5764edf5fc8cd8df26b352031e86ce2a0828b20aa57c2c4bf4b6e88e2f2c083
                                              • Opcode Fuzzy Hash: d3b16e71d0d6cdee6a48f0e05700e2851c4e915909382b6351519f33a9366e15
                                              • Instruction Fuzzy Hash: 4F91F874E04219DFCB04CFE6D5855EEFBF2EF89300F20942AD415AB254E734AA468F94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0ff523cd7fa4147b414e1ff8ea6113dab0a91c717cebeb597e681b8fa5404692
                                              • Instruction ID: fec4779080bd8a74534e2bdb0dd58194874b783787f70ea10b698eddee7a68bc
                                              • Opcode Fuzzy Hash: 0ff523cd7fa4147b414e1ff8ea6113dab0a91c717cebeb597e681b8fa5404692
                                              • Instruction Fuzzy Hash: E94191B28AC7850FDBE120BC89DA1D76FB5C6321247B117B6C841DDE03A40F460B9652
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b67994f68f6ffbdb311ead721614d2aa6bdf1b8146df66b2b8674bb9eb73e451
                                              • Instruction ID: 24041950712796d280ed1fa3fff3c3622b68901d7ea62d7613439164c28c705d
                                              • Opcode Fuzzy Hash: b67994f68f6ffbdb311ead721614d2aa6bdf1b8146df66b2b8674bb9eb73e451
                                              • Instruction Fuzzy Hash: 4A612971E14629CBDB28CF66C9407DEB6B6FFC9300F14D5EA851DA6214E7306A869F40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 199a392f4e3ca83f726f03dcc6f23b1c28104c48e4b784ee5107bd123e655d0f
                                              • Instruction ID: 726e40d359757e600d80d19cd936e056c09da24e126f861c39e9db94c862bb77
                                              • Opcode Fuzzy Hash: 199a392f4e3ca83f726f03dcc6f23b1c28104c48e4b784ee5107bd123e655d0f
                                              • Instruction Fuzzy Hash: 4E611971E1066ACBDB28CF66C9407DEB7B2FFC8300F14D5EAC519A6614E7306A868F40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dccf72ba51cda2d8e5ee927e5298be314869f6047f9889142e6b4beb48bacf0d
                                              • Instruction ID: 706d77dda81f49d04f656f76a7b453391b3f1a7e50b9bc6882af7ffa61be8394
                                              • Opcode Fuzzy Hash: dccf72ba51cda2d8e5ee927e5298be314869f6047f9889142e6b4beb48bacf0d
                                              • Instruction Fuzzy Hash: 42512671E1166ACBDB24CF65C940BDDB7B2FF89310F1496EAD11AA7204E7706AC68F40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5182d0fac0b533524e2f550892e690e2c5d2ba640fcdd7c1602e347709bc7794
                                              • Instruction ID: 82b2553bb30a766b2d743f2d7b86ba2fbea22dc730b8a8ff91c23978bbf2a090
                                              • Opcode Fuzzy Hash: 5182d0fac0b533524e2f550892e690e2c5d2ba640fcdd7c1602e347709bc7794
                                              • Instruction Fuzzy Hash: E6512971E1066ACBDB24CF65C940BDDF7B2FF89301F1496EAD119A2604E770AAC68F44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bba519c1c1f157230d7830756afa7c4e6973c48f268ad8a01932e5e1fce8c2fe
                                              • Instruction ID: 97939726081ac89140e2a69f72a3b1ac64e09901f6cfb543b8f3825a49d884c7
                                              • Opcode Fuzzy Hash: bba519c1c1f157230d7830756afa7c4e6973c48f268ad8a01932e5e1fce8c2fe
                                              • Instruction Fuzzy Hash: F6514074E04129CBDB18DF6ACA805AEFBB3FF89304F15C16AD418A7606D7305A42CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5c9643b86107988c86a5ad887b05e50bbb4b049fb05bef4e210627e3d3779b7
                                              • Instruction ID: ead42b1e1f71419601cad67f402aed6ec0a7c2315d673f8463708c27e0a35056
                                              • Opcode Fuzzy Hash: b5c9643b86107988c86a5ad887b05e50bbb4b049fb05bef4e210627e3d3779b7
                                              • Instruction Fuzzy Hash: 0D516470E051258BDB18DF6ACA805AEFBF3BF89304F15C56AD408A7706D7305A42CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77e57e4f1dd23391b0a65fd3b6eb1355771512ccf00cfbeb99e78f9a0cd5aace
                                              • Instruction ID: 8e48ba91e116869f3d57effe48abdee2d02b06ca3612264445909aa0563e0c5a
                                              • Opcode Fuzzy Hash: 77e57e4f1dd23391b0a65fd3b6eb1355771512ccf00cfbeb99e78f9a0cd5aace
                                              • Instruction Fuzzy Hash: 7C3190B1D152188FDB19CEAACD816DEFBB2EB88210F14C16AD404A6755EA384A078F50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000001.00000002.242969122.0000000004EC0000.00000040.00000001.sdmp, Offset: 04EC0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9b94ae7e73adb7848248928bdc363d3909d4a2561fdfd41637fe0b5bb5597de7
                                              • Instruction ID: 8a24df1467af45105b566bf1ec2b3c57f9103a2e6dd6f24858f878bfc75fb0c3
                                              • Opcode Fuzzy Hash: 9b94ae7e73adb7848248928bdc363d3909d4a2561fdfd41637fe0b5bb5597de7
                                              • Instruction Fuzzy Hash: F4214C71E112189BDB08CFAAD941ADEFBF7EFC8210F10C06AE508B7259DB305A418F50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Executed Functions

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0151B730
                                              • GetCurrentThread.KERNEL32 ref: 0151B76D
                                              • GetCurrentProcess.KERNEL32 ref: 0151B7AA
                                              • GetCurrentThreadId.KERNEL32 ref: 0151B803
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.499825418.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 3dcd5fb7ac5beb76069c493e5de37fd17f2c23695a833ea1b8f54680fd77b73a
                                              • Instruction ID: 0963043b33416f27937b38c9b03545fa8421f6b75c96345f755bb4842d60ac50
                                              • Opcode Fuzzy Hash: 3dcd5fb7ac5beb76069c493e5de37fd17f2c23695a833ea1b8f54680fd77b73a
                                              • Instruction Fuzzy Hash: 1F5133B0905349CFDB15CFA9C988BAEBBF0BF48304F24849AE419AB290D7745845CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0151B730
                                              • GetCurrentThread.KERNEL32 ref: 0151B76D
                                              • GetCurrentProcess.KERNEL32 ref: 0151B7AA
                                              • GetCurrentThreadId.KERNEL32 ref: 0151B803
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.499825418.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: b7c3b4380c40374bc644ef7f834fb919c8d14f14040f8c92d8d1611a0fcd4f46
                                              • Instruction ID: 2075794c9af16e0bc0a1c95394e41413d758c030bf7bd2f779f3c237026a5c66
                                              • Opcode Fuzzy Hash: b7c3b4380c40374bc644ef7f834fb919c8d14f14040f8c92d8d1611a0fcd4f46
                                              • Instruction Fuzzy Hash: 375145B4904349CFDB15CFA9C988BAEBBF0BB48304F248459E519A7350D7746844CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000005.00000002.506043616.0000000006720000.00000040.00000001.sdmp, Offset: 06720000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eb5ae774d829477e0980b8203f127818fcc44b374a109ac8f7d4576a1b675137
                                              • Instruction ID: 9ceac0ab609e5eceda8fc3d69813639b12711eca505e636a18f71115ba122b3c
                                              • Opcode Fuzzy Hash: eb5ae774d829477e0980b8203f127818fcc44b374a109ac8f7d4576a1b675137
                                              • Instruction Fuzzy Hash: CA817C71D0022A9FDB50CFA9D8807EEBBB5FF88314F10852AE915AB250DB74A945CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Memory Dump Source
                                              • Source File: 00000005.00000002.499825418.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 72918038d977a75b03af51aea0368acff83b3752e1fb07d46ae41e4664c0554a
                                              • Instruction ID: ba2c6ca63fcdd5044bd7d185bb29f207937c084942329ca785584d0c7b71b503
                                              • Opcode Fuzzy Hash: 72918038d977a75b03af51aea0368acff83b3752e1fb07d46ae41e4664c0554a
                                              • Instruction Fuzzy Hash: A9712570A00B058FEB25DF29D45075ABBF1FF88208F008A2ED58ADBA54D775E855CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • RegQueryValueExA.KERNELBASE(00000000,056B5F31,00020119,00000000,00000000,?), ref: 056B62FF
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.505247574.00000000056B0000.00000040.00000001.sdmp, Offset: 056B0000, based on PE: false
                                              Similarity
                                              • API ID: QueryValue
                                              • String ID:
                                              • API String ID: 3660427363-0
                                              • Opcode ID: b4d4d013627d0be273f88dea9593078bdcaaf25dfa429a28a6b3b788fe7a1ef0
                                              • Instruction ID: ea800215c8dad8c0a73bbc157a036e143fad0e0288a29d8efc0c67047e05b1d4
                                              • Opcode Fuzzy Hash: b4d4d013627d0be273f88dea9593078bdcaaf25dfa429a28a6b3b788fe7a1ef0
                                              • Instruction Fuzzy Hash: C5713770E04219DFEB14CFA9C884BEEBBB1BF49314F148129E815A7791DBB49885CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • RegQueryValueExA.KERNELBASE(00000000,056B5F31,00020119,00000000,00000000,?), ref: 056B62FF
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.505247574.00000000056B0000.00000040.00000001.sdmp, Offset: 056B0000, based on PE: false
                                              Similarity
                                              • API ID: QueryValue
                                              • String ID:
                                              • API String ID: 3660427363-0
                                              • Opcode ID: 4a50f78bdebf051fd3fabb1a40defabfd1538e3f8603287f56e65b26223f6da7
                                              • Instruction ID: eeea39d909dfc09428a316d22431ebc7cd234cc6eadcdaf3e246fca839275b60
                                              • Opcode Fuzzy Hash: 4a50f78bdebf051fd3fabb1a40defabfd1538e3f8603287f56e65b26223f6da7
                                              • Instruction Fuzzy Hash: D5711770D04219DFEB14CFA9D884BEEBBB1BF48314F148129E815AB791DBB49885CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 067235C0
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.506043616.0000000006720000.00000040.00000001.sdmp, Offset: 06720000, based on PE: false
                                              Similarity
                                              • API ID: Query_
                                              • String ID:
                                              • API String ID: 428220571-0
                                              • Opcode ID: 3a2f31ef8c4feb559753c87d97ad4062a6cad53ac5f36e998c253146682e684e
                                              • Instruction ID: 4583fed1850d0c563794cee8115abbb8f45b76390eba710ae24c8e97a13608f1
                                              • Opcode Fuzzy Hash: 3a2f31ef8c4feb559753c87d97ad4062a6cad53ac5f36e998c253146682e684e
                                              • Instruction Fuzzy Hash: 23512671D002599FDF14CFA9C880ADEBBB5FF48314F14812AE819AB350DB74A985CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0151FD0A
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.499825418.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: b7bf775964dfaa50ba85c7a2c51632eba562c586e2260592962af8c78b44ce3a
                                              • Instruction ID: 6fb3959b64ce1c7b222e41d95b6d7777f40400e0367789012aa378de0660c9f0
                                              • Opcode Fuzzy Hash: b7bf775964dfaa50ba85c7a2c51632eba562c586e2260592962af8c78b44ce3a
                                              • Instruction Fuzzy Hash: 9951C2B1D04309DFDB15CFA9D884ADEBBB1FF48314F64852AE815AB214D7749845CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0151FD0A
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.499825418.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 0cbaad8bb4c15438572073bf2d2b35d89002631c1367cf8ef521613b1d515719
                                              • Instruction ID: 5fb97827f8d2952b3b980c80f233594c7234bbbd0ffbcc7f27f9920361ae84cd
                                              • Opcode Fuzzy Hash: 0cbaad8bb4c15438572073bf2d2b35d89002631c1367cf8ef521613b1d515719
                                              • Instruction Fuzzy Hash: 4B41C0B1D00309EFDB15CFA9C884ADEBBB5FF48314F64812AE819AB214D774A845CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 056B60AF
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.505247574.00000000056B0000.00000040.00000001.sdmp, Offset: 056B0000, based on PE: false
                                              Similarity
                                              • API ID: Open
                                              • String ID:
                                              • API String ID: 71445658-0
                                              • Opcode ID: b8268a08b362712cb3c5012b005a622a8c7c3637a1cc71d6e992947e5a15ec69
                                              • Instruction ID: 30dfc411b148591a46358e7e07f3e231d99a52c92af2948b511cc0a60b23e2ab
                                              • Opcode Fuzzy Hash: b8268a08b362712cb3c5012b005a622a8c7c3637a1cc71d6e992947e5a15ec69
                                              • Instruction Fuzzy Hash: 91414470D042589FDB10CFAAC985BDEBBB5BF48314F14812AE819AB740D7B59881CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 056B60AF
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.505247574.00000000056B0000.00000040.00000001.sdmp, Offset: 056B0000, based on PE: false
                                              Similarity
                                              • API ID: Open
                                              • String ID:
                                              • API String ID: 71445658-0
                                              • Opcode ID: 16048aba66f8fac66f21c2a1f0fa7902681bb30aeeb6c65d1053ef0fbbf52d0f
                                              • Instruction ID: eadb2764073af3f2f6169e444fb11e0f1a41b351e45f433f6b3be9922556a291
                                              • Opcode Fuzzy Hash: 16048aba66f8fac66f21c2a1f0fa7902681bb30aeeb6c65d1053ef0fbbf52d0f
                                              • Instruction Fuzzy Hash: C3411371D043589FDB10CFAAC984BDEBBB5BB48314F14812AE819AB750DBB49885CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0151BD87
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.499825418.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 1e1229b4aaf9b5436fa233041416ced97ce0822761801c980e2674c1072d762e
                                              • Instruction ID: 7eecc06450743d16060eb0744b061fef828d8962b748de7b6fba0f5df50871af
                                              • Opcode Fuzzy Hash: 1e1229b4aaf9b5436fa233041416ced97ce0822761801c980e2674c1072d762e
                                              • Instruction Fuzzy Hash: 9721F2B5900249AFDB10CFA9D884AEEBFF4FB48320F14841AE954A7210C374A950CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0151BD87
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.499825418.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 62fb8233ce1aef9260596b279480a000ccc6f3831c9d1a1b0a0ef2822312ecc8
                                              • Instruction ID: dfd9105bf86fb51b485e249c859c30813d5589f6dc0a8840d595a1411a94b93a
                                              • Opcode Fuzzy Hash: 62fb8233ce1aef9260596b279480a000ccc6f3831c9d1a1b0a0ef2822312ecc8
                                              • Instruction Fuzzy Hash: 2921C4B5901249EFDB10CFAAD884AEEBFF4FB48324F14841AE954A7350D374A954CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 015198BA
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.499825418.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: d687181ac93ccff894a8ea2fee6d7528cc991310ab804b99f64d1725be1996ee
                                              • Instruction ID: 5e89ef27745942dbf6c5077ed3839fa0ceafb6bbaed599ffd8d8833b4af75c2b
                                              • Opcode Fuzzy Hash: d687181ac93ccff894a8ea2fee6d7528cc991310ab804b99f64d1725be1996ee
                                              • Instruction Fuzzy Hash: 841103B6D04249DFDB10CFAAD884BEEFBF4AB88354F15842ED815A7600C374A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 015198BA
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.499825418.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 59a4faa5103673027a9dd9417a9ae50b9f157e62826dab2319a984bc0e57e7b4
                                              • Instruction ID: 17b2478e922e6e59349364353b1039cb6af1abe9d0e63094640539a7bcffa0c6
                                              • Opcode Fuzzy Hash: 59a4faa5103673027a9dd9417a9ae50b9f157e62826dab2319a984bc0e57e7b4
                                              • Instruction Fuzzy Hash: 2811E2B6D04209DFDB10CF9AD844BDEFBF4EB88364F14842AD915A7600C374A545CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,015193FB), ref: 0151962E
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.499825418.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 9bc550d5b026ac41db74d1a96c6ee1d4fc0cd12304851d977f7eec73b5040968
                                              • Instruction ID: 63e11f027f069d76b22ab6f9776a56c2cf45e31374aba7db56f51e5d804e87fd
                                              • Opcode Fuzzy Hash: 9bc550d5b026ac41db74d1a96c6ee1d4fc0cd12304851d977f7eec73b5040968
                                              • Instruction Fuzzy Hash: C31102B5D042498FDB10CF9AD444BDEFBF4EF88228F10882AD919AB240D374A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • SetWindowLongW.USER32(?,?,?), ref: 0151FE9D
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.499825418.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false
                                              Similarity
                                              • API ID: LongWindow
                                              • String ID:
                                              • API String ID: 1378638983-0
                                              • Opcode ID: 8760e3360d5c38bc67e2e7ccbae2cf6890866b15818d316ace667b2d0badaa24
                                              • Instruction ID: 593e7d0484dc46b132f9d44b854df6a91bd1397606d1a53ac8f43c3071f6d5e3
                                              • Opcode Fuzzy Hash: 8760e3360d5c38bc67e2e7ccbae2cf6890866b15818d316ace667b2d0badaa24
                                              • Instruction Fuzzy Hash: AA1110B5800249DFDB20CF99D885BEEBBF4FB88324F10855AD854A7241C378A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • RegCloseKey.KERNELBASE(00000000), ref: 056B642F
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.505247574.00000000056B0000.00000040.00000001.sdmp, Offset: 056B0000, based on PE: false
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: bbf1c0663e84cd014b2b5e002bb0ace666f892b272a1592ceaca8c409b2cf3c0
                                              • Instruction ID: b712ed8c7bd8750031dcd15fd46b8799dbbbdb8f9563ef4538d80c0ac432217a
                                              • Opcode Fuzzy Hash: bbf1c0663e84cd014b2b5e002bb0ace666f892b272a1592ceaca8c409b2cf3c0
                                              • Instruction Fuzzy Hash: 4B1136B1804258CFCB10CF9AD448BDEFBF4EB88324F10841AD519A7640D7B4A940CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.505247574.00000000056B0000.00000040.00000001.sdmp, Offset: 056B0000, based on PE: false
                                              Similarity
                                              • API ID: DispatchMessage
                                              • String ID:
                                              • API String ID: 2061451462-0
                                              • Opcode ID: 8d5284d7a9fc0e65cf87d155869d1f9974739bae6709437724e2286cf79da142
                                              • Instruction ID: 3f3f822704dd38b63d00e01dacb31f03b4bf472bbf26f84da7410a47f7e361ee
                                              • Opcode Fuzzy Hash: 8d5284d7a9fc0e65cf87d155869d1f9974739bae6709437724e2286cf79da142
                                              • Instruction Fuzzy Hash: E611E0B1C04659CECB10CFAAD448BDEBBF4AB88324F10861AD829A3280D3786545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • RegCloseKey.KERNELBASE(00000000), ref: 056B642F
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.505247574.00000000056B0000.00000040.00000001.sdmp, Offset: 056B0000, based on PE: false
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: bb339ade2c336966e71758f64fa50198dd4eca70d944f7131b3fb5eba7fa86a2
                                              • Instruction ID: a7d8a4e8e2b2b386910c2c3822b55009f1436c2e98030adb0a6ad0c2bd7fa025
                                              • Opcode Fuzzy Hash: bb339ade2c336966e71758f64fa50198dd4eca70d944f7131b3fb5eba7fa86a2
                                              • Instruction Fuzzy Hash: 9B1133B1804619CFCB20CF9AC888BDEFBF4EB48324F10841AD519A7240D7B4A940CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              • SetWindowLongW.USER32(?,?,?), ref: 0151FE9D
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.499825418.0000000001510000.00000040.00000001.sdmp, Offset: 01510000, based on PE: false
                                              Similarity
                                              • API ID: LongWindow
                                              • String ID:
                                              • API String ID: 1378638983-0
                                              • Opcode ID: 2ac64827f668c0eb96418266adb1686323622dae15765ed5c0ca680257233a89
                                              • Instruction ID: d29361b30b6cf3f18b1463467051d1aa527ad2cef0c8cd8373d201b721e88538
                                              • Opcode Fuzzy Hash: 2ac64827f668c0eb96418266adb1686323622dae15765ed5c0ca680257233a89
                                              • Instruction Fuzzy Hash: A311D0B59002499FDB10CF9AD989BEEBBF8FB88324F10855AD915A7240C374A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.505247574.00000000056B0000.00000040.00000001.sdmp, Offset: 056B0000, based on PE: false
                                              Similarity
                                              • API ID: DispatchMessage
                                              • String ID:
                                              • API String ID: 2061451462-0
                                              • Opcode ID: 7324b4cb135ff2806dac98daf93eefb28a10b794b0fc3e6ccb6ff55359fc13bc
                                              • Instruction ID: 1867a1c35641dc20ec10f11dc1ed5bfbaa67550470476aa4766df6fc8461626b
                                              • Opcode Fuzzy Hash: 7324b4cb135ff2806dac98daf93eefb28a10b794b0fc3e6ccb6ff55359fc13bc
                                              • Instruction Fuzzy Hash: 03110DB1C04649CFCB10CF9AD848BDEFBF4EB88324F10852AD819A3240D378A544CFA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions