Loading ...

Play interactive tourEdit tour

Analysis Report Doc#6620200947535257653.exe

Overview

General Information

Sample Name:Doc#6620200947535257653.exe
Analysis ID:338654
MD5:6618b8298100d5fb25d23b498a33d492
SHA1:bd61a9c97e54b031ae4eaeb7f69f2006454e1edc
SHA256:96cdf96daea9002d2dcf31e5d37b7df4942ef6085209df1f6b269b9baca3e40a
Tags:exeHostwindsNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Doc#6620200947535257653.exe (PID: 4120 cmdline: 'C:\Users\user\Desktop\Doc#6620200947535257653.exe' MD5: 6618B8298100D5FB25D23B498A33D492)
    • gjhgkuytgkgfgd.exe (PID: 6308 cmdline: 'C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe' MD5: 6618B8298100D5FB25D23B498A33D492)
      • AddInProcess32.exe (PID: 5820 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • ffgfhfjftdghghrghse.exe (PID: 5404 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • ffgfhfjftdghghrghse.exe (PID: 5768 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • ffgfhfjftdghghrghse.exe (PID: 6288 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • ffgfhfjftdghghrghse.exe (PID: 5056 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • ffgfhfjftdghghrghse.exe (PID: 4516 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • ffgfhfjftdghghrghse.exe (PID: 6408 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • ffgfhfjftdghghrghse.exe (PID: 5968 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • ffgfhfjftdghghrghse.exe (PID: 6112 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • ffgfhfjftdghghrghse.exe (PID: 5368 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • ffgfhfjftdghghrghse.exe (PID: 6836 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.157.160.233"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2f25:$a: NanoCore
    • 0x2f7e:$a: NanoCore
    • 0x2fbb:$a: NanoCore
    • 0x3034:$a: NanoCore
    • 0x166df:$a: NanoCore
    • 0x166f4:$a: NanoCore
    • 0x16729:$a: NanoCore
    • 0x2f1ab:$a: NanoCore
    • 0x2f1c0:$a: NanoCore
    • 0x2f1f5:$a: NanoCore
    • 0x2f87:$b: ClientPlugin
    • 0x2fc4:$b: ClientPlugin
    • 0x38c2:$b: ClientPlugin
    • 0x38cf:$b: ClientPlugin
    • 0x1649b:$b: ClientPlugin
    • 0x164b6:$b: ClientPlugin
    • 0x164e6:$b: ClientPlugin
    • 0x166fd:$b: ClientPlugin
    • 0x16732:$b: ClientPlugin
    • 0x2ef67:$b: ClientPlugin
    • 0x2ef82:$b: ClientPlugin
    00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x10b87:$x1: NanoCore.ClientPluginHost
    • 0x569c5:$x1: NanoCore.ClientPluginHost
    • 0x10bc4:$x2: IClientNetworkHost
    • 0x56a02:$x2: IClientNetworkHost
    • 0x146f7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x5a535:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x108ef:$a: NanoCore
      • 0x108ff:$a: NanoCore
      • 0x10b33:$a: NanoCore
      • 0x10b47:$a: NanoCore
      • 0x10b87:$a: NanoCore
      • 0x5672d:$a: NanoCore
      • 0x5673d:$a: NanoCore
      • 0x56971:$a: NanoCore
      • 0x56985:$a: NanoCore
      • 0x569c5:$a: NanoCore
      • 0x1094e:$b: ClientPlugin
      • 0x10b50:$b: ClientPlugin
      • 0x10b90:$b: ClientPlugin
      • 0x5678c:$b: ClientPlugin
      • 0x5698e:$b: ClientPlugin
      • 0x569ce:$b: ClientPlugin
      • 0x10a75:$c: ProjectData
      • 0x44762:$c: ProjectData
      • 0x568b3:$c: ProjectData
      • 0x1147c:$d: DESCrypto
      • 0x572ba:$d: DESCrypto
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      23.2.AddInProcess32.exe.52e0000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      23.2.AddInProcess32.exe.52e0000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      23.2.AddInProcess32.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      23.2.AddInProcess32.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      23.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 5820, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: AddInProcess32.exe.5820.23.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.157.160.233"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORY
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.5720000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.5720000.6.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Doc#6620200947535257653.exeJoe Sandbox ML: detected
        Source: 23.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 23.2.AddInProcess32.exe.5720000.6.unpackAvira: Label: TR/NanoCore.fadte
        Source: Doc#6620200947535257653.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: Doc#6620200947535257653.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
        Source: Binary string: AddInProcess32.pdb source: Doc#6620200947535257653.exe, 00000000.00000003.287381501.0000000001C16000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe.0.dr
        Source: Binary string: AddInProcess32.pdbpw source: Doc#6620200947535257653.exe, 00000000.00000003.287381501.0000000001C16000.00000004.00000001.sdmp, AddInProcess32.exe, 00000017.00000000.388454489.0000000000882000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 4x nop then jmp 01B0F62Eh
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 4x nop then jmp 0199F62Eh
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 4x nop then jmp 05DF88CFh
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 4x nop then jmp 05DF88CFh
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 4x nop then jmp 05DF7D76h
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 4x nop then jmp 05DF7D76h
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 012D0799h
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 012D0799h
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 02B50799h
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 02B50799h
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 01530799h
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 01530799h
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 01880799h
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 01880799h

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorIPs: 185.157.160.233
        Source: global trafficTCP traffic: 192.168.2.3:49744 -> 185.157.160.233:2212
        Source: global trafficTCP traffic: 192.168.2.3:49749 -> 105.112.106.128:2212
        Source: Joe Sandbox ViewIP Address: 185.157.160.233 185.157.160.233
        Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownDNS traffic detected: queries for: annapro.linkpc.net
        Source: Doc#6620200947535257653.exe, 00000000.00000003.218378992.00000000088C0000.00000004.00000001.sdmp, Doc#6620200947535257653.exe, 00000000.00000003.310684596.00000000088C0000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
        Source: gjhgkuytgkgfgd.exe, 00000010.00000003.319689296.0000000008760000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1q
        Source: Doc#6620200947535257653.exe, 00000000.00000003.218378992.00000000088C0000.00000004.00000001.sdmp, Doc#6620200947535257653.exe, 00000000.00000003.310684596.00000000088C0000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
        Source: gjhgkuytgkgfgd.exe, 00000010.00000003.319689296.0000000008760000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/gq
        Source: Doc#6620200947535257653.exe, 00000000.00000003.218378992.00000000088C0000.00000004.00000001.sdmp, Doc#6620200947535257653.exe, 00000000.00000003.310684596.00000000088C0000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
        Source: gjhgkuytgkgfgd.exe, 00000010.00000003.319689296.0000000008760000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobjq
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313171492.0000000001B68000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: AddInProcess32.exe, 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORY
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.5720000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.5720000.6.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.700402304.00000000052E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.AddInProcess32.exe.52e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.AddInProcess32.exe.5720000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.AddInProcess32.exe.5720000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF1BFC CreateProcessAsUserW,
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B09A09
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B0A4F8
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B0BC28
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B03FB8
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B04720
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B0D6F4
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B076D0
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B0F658
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B0EE58
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B0F648
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_01999A01
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_0199A4F8
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_0199BC28
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_01993FB8
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_019976D0
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_0199D6EA
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_0199F658
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_0199EE58
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_0199F648
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF2F38
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF5720
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF04E8
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF0C18
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF45C8
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF25F8
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF25E8
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF2180
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF3980
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF6340
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF2171
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF5710
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF2F28
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF04E1
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF0C08
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_00882050
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_0134E471
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_0134E480
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_0134BBD4
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_0524F5F8
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_05249788
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_0524A5D0
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
        Source: Doc#6620200947535257653.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: gjhgkuytgkgfgd.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Doc#6620200947535257653.exeBinary or memory string: OriginalFilename vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313463921.0000000001E40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313463921.0000000001E40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313392512.0000000001DF0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313171492.0000000001B68000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.322695546.0000000008CB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000003.287381501.0000000001C16000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.322289598.0000000005E70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exeBinary or memory string: OriginalFilenametonyumeze1.exeP vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.700402304.00000000052E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.700402304.00000000052E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.AddInProcess32.exe.52e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.AddInProcess32.exe.52e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.AddInProcess32.exe.5720000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.AddInProcess32.exe.5720000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.AddInProcess32.exe.5720000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.AddInProcess32.exe.5720000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@26/19@3/3
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjhgkuytgkgfgd.lnkJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{5c958888-f81c-42a4-939d-31983a2cd9ba}
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
        Source: Doc#6620200947535257653.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile read: C:\Users\user\Desktop\Doc#6620200947535257653.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Doc#6620200947535257653.exe 'C:\Users\user\Desktop\Doc#6620200947535257653.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe 'C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess created: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe 'C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe'
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: unknown unknown
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: Doc#6620200947535257653.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Doc#6620200947535257653.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: Doc#6620200947535257653.exeStatic file information: File size 5468672 > 1048576
        Source: Doc#6620200947535257653.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x50b200
        Source: Doc#6620200947535257653.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
        Source: Binary string: AddInProcess32.pdb source: Doc#6620200947535257653.exe, 00000000.00000003.287381501.0000000001C16000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe.0.dr
        Source: Binary string: AddInProcess32.pdbpw source: Doc#6620200947535257653.exe, 00000000.00000003.287381501.0000000001C16000.00000004.00000001.sdmp, AddInProcess32.exe, 00000017.00000000.388454489.0000000000882000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Binary contains a suspicious time stampShow sources
        Source: initial sampleStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B03A90 push CC01B4B1h; retf
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF4F52 push esp; retf
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF52D0 push eax; iretd
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF1C79 push ebx; iretd
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_052469F8 pushad ; retf
        Source: ffgfhfjftdghghrghse.exe.16.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
        Source: ffgfhfjftdghghrghse.exe.16.dr, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
        Source: ffgfhfjftdghghrghse.exe.16.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
        Source: ffgfhfjftdghghrghse.exe.16.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
        Source: ffgfhfjftdghghrghse.exe.16.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 26.0.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
        Source: 26.0.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
        Source: 26.0.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
        Source: 26.0.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
        Source: 26.0.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
        Source: 26.2.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
        Source: 26.2.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
        Source: 26.2.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
        Source: 26.2.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
        Source: 26.2.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
        Source: 29.2.ffgfhfjftdghghrghse.exe.8b0000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
        Source: 29.2.ffgfhfjftdghghrghse.exe.8b0000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
        Source: 29.2.ffgfhfjftdghghrghse.exe.8b0000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
        Source: 29.2.ffgfhfjftdghghrghse.exe.8b0000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
        Source: 29.2.ffgfhfjftdghghrghse.exe.8b0000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
        Source: 29.0.ffgfhfjftdghghrghse.exe.8b0000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
        Source: 29.0.ffgfhfjftdghghrghse.exe.8b0000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
        Source: 29.0.ffgfhfjftdghghrghse.exe.8b0000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
        Source: 29.0.ffgfhfjftdghghrghse.exe.8b0000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
        Source: 29.0.ffgfhfjftdghghrghse.exe.8b0000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
        Source: 30.2.ffgfhfjftdghghrghse.exe.dd0000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
        Source: 30.2.ffgfhfjftdghghrghse.exe.dd0000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
        Source: 30.2.ffgfhfjftdghghrghse.exe.dd0000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
        Source: 30.2.ffgfhfjftdghghrghse.exe.dd0000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
        Source: 30.2.ffgfhfjftdghghrghse.exe.dd0000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
        Source: 30.0.ffgfhfjftdghghrghse.exe.dd0000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
        Source: 30.0.ffgfhfjftdghghrghse.exe.dd0000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
        Source: 30.0.ffgfhfjftdghghrghse.exe.dd0000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
        Source: 30.0.ffgfhfjftdghghrghse.exe.dd0000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
        Source: 30.0.ffgfhfjftdghghrghse.exe.dd0000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile created: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeJump to dropped file
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeFile created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeJump to dropped file
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjhgkuytgkgfgd.lnkJump to behavior
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjhgkuytgkgfgd.lnkJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
        Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (6).png
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile opened: C:\Users\user\Desktop\Doc#6620200947535257653.exe\:Zone.Identifier read attributes | delete
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeFile opened: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe\:Zone.Identifier read attributes | delete
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeWindow / User API: threadDelayed 7446
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeWindow / User API: threadDelayed 2333
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeWindow / User API: threadDelayed 2817
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeWindow / User API: threadDelayed 7005
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 1602
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 7862
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: foregroundWindowGot 992
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exe TID: 1528Thread sleep time: -23058430092136925s >= -30000s
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exe TID: 1528Thread sleep time: -30000s >= -30000s
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exe TID: 4576Thread sleep count: 7446 > 30
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exe TID: 4576Thread sleep count: 2333 > 30
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exe TID: 1528Thread sleep count: 54 > 30
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe TID: 6424Thread sleep time: -21213755684765971s >= -30000s
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe TID: 6424Thread sleep time: -30000s >= -30000s
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe TID: 5524Thread sleep count: 2817 > 30
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe TID: 5524Thread sleep count: 7005 > 30
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 6212Thread sleep time: -12912720851596678s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe TID: 1724Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe TID: 5640Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe TID: 3672Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe TID: 5656Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe TID: 7076Thread sleep time: -922337203685477s >= -30000s
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.690228734.0000000003520000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.690228734.0000000003520000.00000004.00000001.sdmpBinary or memory string: vmware svga
        Source: Doc#6620200947535257653.exe, 00000000.00000002.322695546.0000000008CB0000.00000002.00000001.sdmp, AddInProcess32.exe, 00000017.00000002.703059986.00000000067D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.690228734.0000000003520000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313392512.0000000001DF0000.00000004.00000001.sdmp, gjhgkuytgkgfgd.exe, 00000010.00000002.690228734.0000000003520000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
        Source: ffgfhfjftdghghrghse.exe, 00000020.00000002.516554938.0000000000913000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313392512.0000000001DF0000.00000004.00000001.sdmp, gjhgkuytgkgfgd.exe, 00000010.00000002.690228734.0000000003520000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313392512.0000000001DF0000.00000004.00000001.sdmp, gjhgkuytgkgfgd.exe, 00000010.00000002.690228734.0000000003520000.00000004.00000001.sdmpBinary or memory string: vmusrvc
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.690228734.0000000003520000.00000004.00000001.sdmpBinary or memory string: vmsrvc
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.690228734.0000000003520000.00000004.00000001.sdmpBinary or memory string: vmtools
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.690228734.0000000003520000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.690228734.0000000003520000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
        Source: Doc#6620200947535257653.exe, 00000000.00000002.322695546.0000000008CB0000.00000002.00000001.sdmp, AddInProcess32.exe, 00000017.00000002.703059986.00000000067D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: Doc#6620200947535257653.exe, 00000000.00000002.322695546.0000000008CB0000.00000002.00000001.sdmp, AddInProcess32.exe, 00000017.00000002.703059986.00000000067D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.690228734.0000000003520000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
        Source: Doc#6620200947535257653.exe, 00000000.00000002.322695546.0000000008CB0000.00000002.00000001.sdmp, AddInProcess32.exe, 00000017.00000002.703059986.00000000067D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess token adjusted: Debug
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 402000
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 420000
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 422000
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: AED008
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess created: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe 'C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe'
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: unknown unknown
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.689992657.0000000002110000.00000002.00000001.sdmp, AddInProcess32.exe, 00000017.00000002.692118052.0000000003436000.00000004.00000001.sdmp, ffgfhfjftdghghrghse.exe, 0000001D.00000002.680339015.0000000001670000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 0000001F.00000002.679344761.0000000001E30000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 00000022.00000002.680940515.0000000001FB0000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 00000025.00000002.679646724.0000000001A60000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 00000027.00000002.680724533.0000000001EA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.689992657.0000000002110000.00000002.00000001.sdmp, AddInProcess32.exe, 00000017.00000002.683370448.0000000001710000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 0000001D.00000002.680339015.0000000001670000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 0000001F.00000002.679344761.0000000001E30000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 00000022.00000002.680940515.0000000001FB0000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 00000025.00000002.679646724.0000000001A60000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 00000027.00000002.680724533.0000000001EA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.689992657.0000000002110000.00000002.00000001.sdmp, AddInProcess32.exe, 00000017.00000002.683370448.0000000001710000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 0000001D.00000002.680339015.0000000001670000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 0000001F.00000002.679344761.0000000001E30000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 00000022.00000002.680940515.0000000001FB0000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 00000025.00000002.679646724.0000000001A60000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 00000027.00000002.680724533.0000000001EA0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.689992657.0000000002110000.00000002.00000001.sdmp, AddInProcess32.exe, 00000017.00000002.683370448.0000000001710000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 0000001D.00000002.680339015.0000000001670000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 0000001F.00000002.679344761.0000000001E30000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 00000022.00000002.680940515.0000000001FB0000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 00000025.00000002.679646724.0000000001A60000.00000002.00000001.sdmp, ffgfhfjftdghghrghse.exe, 00000027.00000002.680724533.0000000001EA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: AddInProcess32.exe, 00000017.00000002.684007584.0000000002EC5000.00000004.00000001.sdmpBinary or memory string: Program ManagerHa-l(
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeQueries volume information: C:\Users\user\Desktop\Doc#6620200947535257653.exe VolumeInformation
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeQueries volume information: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe VolumeInformation
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORY
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.5720000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.5720000.6.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Doc#6620200947535257653.exe, 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: gjhgkuytgkgfgd.exe, 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: AddInProcess32.exe, 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: AddInProcess32.exe, 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORY
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.5720000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.5720000.6.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1Windows Management InstrumentationStartup Items1Startup Items1Disable or Modify Tools1Input Capture21File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobValid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery12Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Registry Run Keys / Startup Folder2Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Process Injection312Software Packing11NTDSSecurity Software Discovery11Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder2Timestomp1LSA SecretsVirtualization/Sandbox Evasion3SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion3/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection312Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 338654 Sample: Doc#6620200947535257653.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->59 61 7 other signatures 2->61 8 Doc#6620200947535257653.exe 6 2->8         started        process3 file4 39 C:\Users\user\AppData\...\gjhgkuytgkgfgd.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->41 dropped 43 C:\...\gjhgkuytgkgfgd.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\...\Doc#6620200947535257653.exe.log, ASCII 8->45 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->65 12 gjhgkuytgkgfgd.exe 5 8->12         started        signatures5 process6 file7 47 C:\Users\user\...\ffgfhfjftdghghrghse.exe, PE32 12->47 dropped 67 Machine Learning detection for dropped file 12->67 69 Writes to foreign memory regions 12->69 71 Allocates memory in foreign processes 12->71 73 2 other signatures 12->73 16 AddInProcess32.exe 6 12->16         started        21 ffgfhfjftdghghrghse.exe 12->21         started        23 ffgfhfjftdghghrghse.exe 2 12->23         started        25 3 other processes 12->25 signatures8 process9 dnsIp10 49 185.157.160.233, 2212 OBE-EUROPEObenetworkEuropeSE Sweden 16->49 51 annapro.linkpc.net 105.112.106.128, 2212 VNL1-ASNG Nigeria 16->51 37 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 16->37 dropped 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->63 53 192.168.2.1 unknown unknown 21->53 27 ffgfhfjftdghghrghse.exe 21->27         started        29 ffgfhfjftdghghrghse.exe 23->29         started        31 ffgfhfjftdghghrghse.exe 25->31         started        33 ffgfhfjftdghghrghse.exe 25->33         started        35 ffgfhfjftdghghrghse.exe 25->35         started        file11 signatures12 process13

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Doc#6620200947535257653.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe3%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        23.2.AddInProcess32.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        23.2.AddInProcess32.exe.5720000.6.unpack100%AviraTR/NanoCore.fadteDownload File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://ns.adobe.cobjq0%Avira URL Cloudsafe
        http://ns.adobe.c/g0%URL Reputationsafe
        http://ns.adobe.c/g0%URL Reputationsafe
        http://ns.adobe.c/g0%URL Reputationsafe
        http://ns.adobe.c/g0%URL Reputationsafe
        http://ns.adobe.cobj0%URL Reputationsafe
        http://ns.adobe.cobj0%URL Reputationsafe
        http://ns.adobe.cobj0%URL Reputationsafe
        http://ns.adobe.cobj0%URL Reputationsafe
        http://ns.ado/1q0%Avira URL Cloudsafe
        http://ns.adobe.c/gq0%Avira URL Cloudsafe
        http://ns.ado/10%URL Reputationsafe
        http://ns.ado/10%URL Reputationsafe
        http://ns.ado/10%URL Reputationsafe
        http://ns.ado/10%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        annapro.linkpc.net
        105.112.106.128
        truefalse
          high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://ns.adobe.cobjqgjhgkuytgkgfgd.exe, 00000010.00000003.319689296.0000000008760000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ns.adobe.c/gDoc#6620200947535257653.exe, 00000000.00000003.218378992.00000000088C0000.00000004.00000001.sdmp, Doc#6620200947535257653.exe, 00000000.00000003.310684596.00000000088C0000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://ns.adobe.cobjDoc#6620200947535257653.exe, 00000000.00000003.218378992.00000000088C0000.00000004.00000001.sdmp, Doc#6620200947535257653.exe, 00000000.00000003.310684596.00000000088C0000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://ns.ado/1qgjhgkuytgkgfgd.exe, 00000010.00000003.319689296.0000000008760000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ns.adobe.c/gqgjhgkuytgkgfgd.exe, 00000010.00000003.319689296.0000000008760000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ns.ado/1Doc#6620200947535257653.exe, 00000000.00000003.218378992.00000000088C0000.00000004.00000001.sdmp, Doc#6620200947535257653.exe, 00000000.00000003.310684596.00000000088C0000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          185.157.160.233
          unknownSweden
          197595OBE-EUROPEObenetworkEuropeSEtrue
          105.112.106.128
          unknownNigeria
          36873VNL1-ASNGfalse

          Private

          IP
          192.168.2.1

          General Information

          Joe Sandbox Version:31.0.0 Red Diamond
          Analysis ID:338654
          Start date:12.01.2021
          Start time:17:55:33
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 15m 51s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:Doc#6620200947535257653.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:40
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@26/19@3/3
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 3.3% (good quality ratio 2.7%)
          • Quality average: 67.9%
          • Quality standard deviation: 33%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
          • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.42.151.234, 104.79.90.110, 168.61.161.212, 51.11.168.160, 92.122.213.194, 92.122.213.247, 67.27.157.254, 8.248.145.254, 67.26.73.254, 67.26.83.254, 8.248.131.254, 52.155.217.156, 20.54.26.129
          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          17:56:29API Interceptor183x Sleep call for process: Doc#6620200947535257653.exe modified
          17:56:30AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjhgkuytgkgfgd.lnk
          17:57:16API Interceptor217x Sleep call for process: gjhgkuytgkgfgd.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          185.157.160.233DHL_file 187652345643476245.exeGet hashmaliciousBrowse
            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
              DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                  DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                    DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                      FedExs AWB#5305323204643.exeGet hashmaliciousBrowse
                        URGENT QUOTATION 473833057.exeGet hashmaliciousBrowse
                          P-O Doc #6620200947535257653.exeGet hashmaliciousBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            annapro.linkpc.netDHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            • 105.112.113.90
                            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            • 105.112.113.90
                            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            • 105.112.113.90
                            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            • 105.112.113.90
                            FedExs AWB#5305323204643.exeGet hashmaliciousBrowse
                            • 105.112.113.90
                            DHL_document11022020680908911.exeGet hashmaliciousBrowse
                            • 129.205.113.251
                            DHL ShipmentDHL Shipment 237590.pdf.exeGet hashmaliciousBrowse
                            • 129.205.124.172
                            Doc_AWB#5305323204643_UPS.pdf.exeGet hashmaliciousBrowse
                            • 129.205.124.152

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            VNL1-ASNGDHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            • 105.112.113.90
                            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            • 105.112.113.90
                            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            • 105.112.113.90
                            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            • 105.112.113.90
                            Confirmation Copy RefNo-MT102.exeGet hashmaliciousBrowse
                            • 105.112.102.57
                            FedExs AWB#5305323204643.exeGet hashmaliciousBrowse
                            • 105.112.113.90
                            PAYMENT COPY.exeGet hashmaliciousBrowse
                            • 105.112.109.37
                            PO456789.exeGet hashmaliciousBrowse
                            • 105.112.96.12
                            DHL_10177_R293_DOCUMENT.exeGet hashmaliciousBrowse
                            • 105.112.101.201
                            ibgcrnNmhB.exeGet hashmaliciousBrowse
                            • 105.112.25.130
                            purchase order.exeGet hashmaliciousBrowse
                            • 105.112.25.74
                            packing list.xlsx.exeGet hashmaliciousBrowse
                            • 105.112.69.142
                            9087654.exeGet hashmaliciousBrowse
                            • 105.112.101.151
                            RFQ.exeGet hashmaliciousBrowse
                            • 105.112.100.239
                            LOI.exeGet hashmaliciousBrowse
                            • 105.112.100.239
                            corporate-tax.exeGet hashmaliciousBrowse
                            • 105.112.101.84
                            QUOTATION - COVID 19 PROTECTION SOLUTIONS - final.exeGet hashmaliciousBrowse
                            • 105.112.124.8
                            BDH9YAC4aQ.exeGet hashmaliciousBrowse
                            • 105.112.101.125
                            JBIY8HTthL.exeGet hashmaliciousBrowse
                            • 105.112.101.125
                            late-payment.exeGet hashmaliciousBrowse
                            • 105.112.45.74
                            OBE-EUROPEObenetworkEuropeSEScan_order.exeGet hashmaliciousBrowse
                            • 185.157.161.61
                            inrfzFzDHR.exeGet hashmaliciousBrowse
                            • 45.148.16.42
                            SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                            • 185.157.161.61
                            New PO.docGet hashmaliciousBrowse
                            • 185.157.161.61
                            89GsVCJAXv.exeGet hashmaliciousBrowse
                            • 185.157.162.81
                            spetsifikatsiya.xlsGet hashmaliciousBrowse
                            • 185.157.162.81
                            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            • 185.157.160.233
                            dpR3o92MH1.exeGet hashmaliciousBrowse
                            • 185.157.162.81
                            0qNSJXB8nG.exeGet hashmaliciousBrowse
                            • 185.157.162.81
                            Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                            • 185.157.161.86
                            7w7LwD8bqe.exeGet hashmaliciousBrowse
                            • 185.157.162.81
                            ZZB5zuv1X0.exeGet hashmaliciousBrowse
                            • 185.157.162.81
                            spetsifikatsiya.xlsGet hashmaliciousBrowse
                            • 185.157.162.81
                            ptoovvKZ80.exeGet hashmaliciousBrowse
                            • 185.157.162.81
                            spetsifikatsiya.xlsGet hashmaliciousBrowse
                            • 185.157.162.81
                            EnJsj6nuD4.exeGet hashmaliciousBrowse
                            • 185.157.162.81
                            AdviceSlip.xlsGet hashmaliciousBrowse
                            • 217.64.149.169
                            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            • 185.157.160.233
                            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            • 185.157.160.233
                            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                            • 185.157.160.233

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSecuriteInfo.com.Generic.mg.15368412abd71685.exeGet hashmaliciousBrowse
                              RT-05723.exeGet hashmaliciousBrowse
                                Dekont.pdf.exeGet hashmaliciousBrowse
                                  cFAWQ1mv83.exeGet hashmaliciousBrowse
                                    I7313Y5Rr2.exeGet hashmaliciousBrowse
                                      SWIFT-COPY Payment advice3243343.exeGet hashmaliciousBrowse
                                        bWVvaTptgL.exeGet hashmaliciousBrowse
                                          umOXxQ9PFS.exeGet hashmaliciousBrowse
                                            BL,IN&PL.exeGet hashmaliciousBrowse
                                              ORDER #0554.exeGet hashmaliciousBrowse
                                                Dekont.pdf.exeGet hashmaliciousBrowse
                                                  IMG_84755643#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                                    8WLxD8uxRN.exeGet hashmaliciousBrowse
                                                      Quotation.exeGet hashmaliciousBrowse
                                                        e-dekont.html.exeGet hashmaliciousBrowse
                                                          Dekont.pdf.exeGet hashmaliciousBrowse
                                                            DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                              SWIFT77266255378434pdf.exeGet hashmaliciousBrowse
                                                                SWIFT998775523434pdf.exeGet hashmaliciousBrowse
                                                                  SWIFT345343445pdf.exeGet hashmaliciousBrowse
                                                                    C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeTD-10057.docGet hashmaliciousBrowse
                                                                      ndSscoDob9.exeGet hashmaliciousBrowse
                                                                        SecuriteInfo.com.Generic.mg.15368412abd71685.exeGet hashmaliciousBrowse
                                                                          QL-0217.docGet hashmaliciousBrowse
                                                                            DXXJmIDl3C.exeGet hashmaliciousBrowse
                                                                              0YdVJ6vqhO.exeGet hashmaliciousBrowse
                                                                                RT-05723.exeGet hashmaliciousBrowse
                                                                                  RT-05723.docGet hashmaliciousBrowse
                                                                                    DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                                                      Order_1101201918_AUTECH.exeGet hashmaliciousBrowse

                                                                                        Created / dropped Files

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Doc#6620200947535257653.exe.log
                                                                                        Process:C:\Users\user\Desktop\Doc#6620200947535257653.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):1451
                                                                                        Entropy (8bit):5.345862727722058
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                                                                                        MD5:06F54CDBFEF62849AF5AE052722BD7B6
                                                                                        SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                                                                                        SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                                                                                        SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                                                                                        Malicious:true
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ffgfhfjftdghghrghse.exe.log
                                                                                        Process:C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1362
                                                                                        Entropy (8bit):5.343186145897752
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovj
                                                                                        MD5:1249251E90A1C28AB8F7235F30056DEB
                                                                                        SHA1:166BA6B64E9B0D9BA7B856334F7D7EC027030BA1
                                                                                        SHA-256:B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
                                                                                        SHA-512:FD880C5B12B22241F67139ABD09B99ACE7A4DD24635FC6B340A3E7C463E2AEF3FA68EF647352132934BC1F8CA134F46064049449ACB67954BEDDEA9AA9670885
                                                                                        Malicious:false
                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                                        C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                        Process:C:\Users\user\Desktop\Doc#6620200947535257653.exe
                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):42080
                                                                                        Entropy (8bit):6.2125074198825105
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
                                                                                        MD5:F2A47587431C466535F3C3D3427724BE
                                                                                        SHA1:90DF719241CE04828F0DD4D31D683F84790515FF
                                                                                        SHA-256:23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
                                                                                        SHA-512:E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: SecuriteInfo.com.Generic.mg.15368412abd71685.exe, Detection: malicious, Browse
                                                                                        • Filename: RT-05723.exe, Detection: malicious, Browse
                                                                                        • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                                        • Filename: cFAWQ1mv83.exe, Detection: malicious, Browse
                                                                                        • Filename: I7313Y5Rr2.exe, Detection: malicious, Browse
                                                                                        • Filename: SWIFT-COPY Payment advice3243343.exe, Detection: malicious, Browse
                                                                                        • Filename: bWVvaTptgL.exe, Detection: malicious, Browse
                                                                                        • Filename: umOXxQ9PFS.exe, Detection: malicious, Browse
                                                                                        • Filename: BL,IN&PL.exe, Detection: malicious, Browse
                                                                                        • Filename: ORDER #0554.exe, Detection: malicious, Browse
                                                                                        • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                                        • Filename: IMG_84755643#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse
                                                                                        • Filename: 8WLxD8uxRN.exe, Detection: malicious, Browse
                                                                                        • Filename: Quotation.exe, Detection: malicious, Browse
                                                                                        • Filename: e-dekont.html.exe, Detection: malicious, Browse
                                                                                        • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                                        • Filename: DHL_file 187652345643476245.exe, Detection: malicious, Browse
                                                                                        • Filename: SWIFT77266255378434pdf.exe, Detection: malicious, Browse
                                                                                        • Filename: SWIFT998775523434pdf.exe, Detection: malicious, Browse
                                                                                        • Filename: SWIFT345343445pdf.exe, Detection: malicious, Browse
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................|w......H........#...Q...................u.......................................0..K........-..*..i....*...r...p.o....,....r...p.o....-..*.....o......o.....$...*.....o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o*....(+...o,.....&...(-....*.......3..@......R...s.....s....(....*:.(/.....}P...*J.{P....o0..
                                                                                        C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        Process:C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):78336
                                                                                        Entropy (8bit):4.369296705546591
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:jlU4+MS3Fu0thSOV4GM0SuHk9Oh/1TRIWUk7NlfaNV9KQLxXXSv:l6o03IGMLuHk+Ck5lfaNP7xSv
                                                                                        MD5:0E362E7005823D0BEC3719B902ED6D62
                                                                                        SHA1:590D860B909804349E0CDC2F1662B37BD62F7463
                                                                                        SHA-256:2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                                                                                        SHA-512:518991B68496B3F8545E418CF9B345E0791E09CC20D177B8AA47E0ABA447AA55383C64F5BDACA39F2B061A5D08C16F2AD484AF8A9F238CA23AB081618FBA3AD3
                                                                                        Malicious:false
                                                                                        Antivirus:
                                                                                        • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: TD-10057.doc, Detection: malicious, Browse
                                                                                        • Filename: ndSscoDob9.exe, Detection: malicious, Browse
                                                                                        • Filename: SecuriteInfo.com.Generic.mg.15368412abd71685.exe, Detection: malicious, Browse
                                                                                        • Filename: QL-0217.doc, Detection: malicious, Browse
                                                                                        • Filename: DXXJmIDl3C.exe, Detection: malicious, Browse
                                                                                        • Filename: 0YdVJ6vqhO.exe, Detection: malicious, Browse
                                                                                        • Filename: RT-05723.exe, Detection: malicious, Browse
                                                                                        • Filename: RT-05723.doc, Detection: malicious, Browse
                                                                                        • Filename: DHL_file 187652345643476245.exe, Detection: malicious, Browse
                                                                                        • Filename: Order_1101201918_AUTECH.exe, Detection: malicious, Browse
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y ................P..&...........D... ........@.. ....................................`..................................D..W....`..............................hD............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................D......H.......l....%......)....................................................0..6.......(8...t....&.(8...t....&......(8...t...................8;....8%.....(8...t....&.(8...t............:.....(8...t....:.....(8...t....:....(8...t....................................\:@....(8...t....&.)...&8.....(8...t....&(8...t....&.....:.......8x........:L...88....(8...t....&(8...t....&(8...t....&(8...t.....................:....8!.....(8...t....&......(8...t....&.....(8...t....:8.....(8...t....&.
                                                                                        C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.txt
                                                                                        Process:C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):63
                                                                                        Entropy (8bit):4.832216979255192
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:eq+f5PWXp5cViEaKC5SJRCEidNv:edWXp+NaZ5gkHdNv
                                                                                        MD5:B5B35C7EF496B579817631AB19BD4129
                                                                                        SHA1:8AB40C45DB592DD0E40434188014DDF18B4E4575
                                                                                        SHA-256:CD6C836759956A22FE8CFCBAD2A2959228693920AC2B6EF299EFD171328481E2
                                                                                        SHA-512:583862D019031B3AC2DAF14F7E337BE90B46C41EA8D99A1D7859351AD0B9E071BA4C39AD906AEE575708F5B79B0CEE30B66A057A3E6067526A920BAB7E8710EF
                                                                                        Malicious:false
                                                                                        Preview: 6308..C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe..6836..
                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                        Process:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                        File Type:ISO-8859 text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):8
                                                                                        Entropy (8bit):3.0
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:fjn:rn
                                                                                        MD5:39EC59A244421131603478561DB4C0F3
                                                                                        SHA1:C8B7BFE7FA5725FD160F3308604D977077E14E63
                                                                                        SHA-256:A10829EF59D2187128E2C0430494AA18A1CDDE6B78A068649B7DD686DAFFA5C1
                                                                                        SHA-512:B1F8117B82F6415FD778B6C79D4FD2EDB3F6E25CE4FDF2D186C95A8401EF0DA12B64F6EA3E1195C020127008F192CD6CBCF7384216315CAFF136170CA05F9FA7
                                                                                        Malicious:true
                                                                                        Preview: R.o.f..H
                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjhgkuytgkgfgd.lnk
                                                                                        Process:C:\Users\user\Desktop\Doc#6620200947535257653.exe
                                                                                        File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                                        Category:dropped
                                                                                        Size (bytes):946
                                                                                        Entropy (8bit):3.1905608436918538
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:8wl05sXou41w/tz0/CSLh90WOycWO53qMJ3WOegTCNfBT/v4t2Y+xIBjK:8af4eWLLVOwO5toOeVpd7aB
                                                                                        MD5:1937001F0ECE85E425FAF152B9D2C801
                                                                                        SHA1:0911B6C7DED5C08535C7B6416F9A8E8C42E8F12F
                                                                                        SHA-256:F648B7E54C93822D5AE766AF44A1E8292E745A064A24BA68B14FEE32CD80EF5C
                                                                                        SHA-512:72AE9987FB528D857D7B609C9EB2535304D0BD1C5C266B10EF8EDF0B3EAFE61C738B751E53E481D4F976A1A5396EDB49435D5A51927957CE40D8E4C02895BF88
                                                                                        Malicious:false
                                                                                        Preview: L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................h.a.r.d.z.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....x.2...........gjhgkuytgkgfgd.exe..V............................................g.j.h.g.k.u.y.t.g.k.g.f.g.d...e.x.e..."...!.....\.....\.....\.....\.....\.g.j.h.g.k.u.y.t.g.k.g.f.g.d...e.x.e.1.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.g.j.h.g.k.u.y.t.g.k.g.f.g.d...e.x.e.............y.............>.e.L.:..er.=y...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................
                                                                                        C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe
                                                                                        Process:C:\Users\user\Desktop\Doc#6620200947535257653.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):5468672
                                                                                        Entropy (8bit):7.865386384993106
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:wfAG/Q0IRjCdGmZFT4nNSOJPtbFEG219YgQA2XNBe6/BBwM5q7HjQ5hZLbQh+B6j:wfA6tGm7T4nB+G219jQAABeIaMI7DQ5s
                                                                                        MD5:6618B8298100D5FB25D23B498A33D492
                                                                                        SHA1:BD61A9C97E54B031AE4EAEB7F69F2006454E1EDC
                                                                                        SHA-256:96CDF96DAEA9002D2DCF31E5D37B7DF4942EF6085209DF1F6B269B9BACA3E40A
                                                                                        SHA-512:0BFACD251083EBB01BE36B37C18237954FCA2E87532E0E2B63560FB259167E7365416CE6A573CF1FB31F8FBEA40FD824C110CCB929BFA925852C1225EF5812A7
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....XZ..................P...........P.. ........@.. ........................S...........`.................................P.P.K.....P.&.....................S...................................................... ............... ..H............text.....P.. ....P................. ..`.rsrc...&.....P.......P.............@..@.reloc........S......pS.............@..B..................P.....H........P.d!......?...,l...?O.......................................... .........%.....(......... &........%.....(.........*...0..].......8......+..(....t........................(%...t............. ....(%...t....(....t....(....t....(%...t........(%...t....(....t.........................:o....&&......... .I. .?__.(%...t....&..-.............(....t....(%...t...........(....t....(....t.............\(%...t.............(%...t.... h.'Z(%...t....(%...t.....................(%...t..
                                                                                        C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe:Zone.Identifier
                                                                                        Process:C:\Users\user\Desktop\Doc#6620200947535257653.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Preview: [ZoneTransfer]....ZoneId=0

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):7.865386384993106
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                        File name:Doc#6620200947535257653.exe
                                                                                        File size:5468672
                                                                                        MD5:6618b8298100d5fb25d23b498a33d492
                                                                                        SHA1:bd61a9c97e54b031ae4eaeb7f69f2006454e1edc
                                                                                        SHA256:96cdf96daea9002d2dcf31e5d37b7df4942ef6085209df1f6b269b9baca3e40a
                                                                                        SHA512:0bfacd251083ebb01be36b37c18237954fca2e87532e0e2b63560fb259167e7365416ce6a573cf1fb31f8fbea40fd824c110ccb929bfa925852c1225ef5812a7
                                                                                        SSDEEP:98304:wfAG/Q0IRjCdGmZFT4nNSOJPtbFEG219YgQA2XNBe6/BBwM5q7HjQ5hZLbQh+B6j:wfA6tGm7T4nB+G219jQAABeIaMI7DQ5s
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....XZ..................P...........P.. ........@.. ........................S...........`................................

                                                                                        File Icon

                                                                                        Icon Hash:c6a9989ae8ccb6cc

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x90d19e
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                        Time Stamp:0x5A58B9FE [Fri Jan 12 13:37:02 2018 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x50d1500x4b.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x50e0000x2ba26.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x53a0000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000x50b1a40x50b200unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x50e0000x2ba260x2bc00False0.236037946429data5.55613330154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                        .reloc0x53a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountry
                                                                                        RT_ICON0x50e2b00x39bcPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                        RT_ICON0x511c6c0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                        RT_ICON0x5224940x94a8data
                                                                                        RT_ICON0x52b93c0x5488data
                                                                                        RT_ICON0x530dc40x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 520093696
                                                                                        RT_ICON0x534fec0x25a8data
                                                                                        RT_ICON0x5375940x10a8data
                                                                                        RT_ICON0x53863c0x988data
                                                                                        RT_ICON0x538fc40x468GLS_BINARY_LSB_FIRST
                                                                                        RT_GROUP_ICON0x53942c0x84data
                                                                                        RT_VERSION0x5394b00x38cPGP symmetric key encrypted data - Plaintext or unencrypted data
                                                                                        RT_MANIFEST0x53983c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Version Infos

                                                                                        DescriptionData
                                                                                        Translation0x0000 0x04b0
                                                                                        LegalCopyrightCopyright 1991 DH5?A=@H6?B38I5
                                                                                        Assembly Version1.0.0.0
                                                                                        InternalNametonyumeze1.exe
                                                                                        FileVersion1.1.2.2
                                                                                        CompanyNameDH5?A=@H6?B38I5
                                                                                        Comments7GC4@8J4I5=E=GF>
                                                                                        ProductName3?=4;=G=3=357=4=I8CI37
                                                                                        ProductVersion1.1.2.2
                                                                                        FileDescription3?=4;=G=3=357=4=I8CI37
                                                                                        OriginalFilenametonyumeze1.exe

                                                                                        Network Behavior

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Jan 12, 2021 17:57:55.798674107 CET497442212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 17:57:58.808279037 CET497442212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 17:58:04.808785915 CET497442212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 17:58:14.390619040 CET497472212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 17:58:17.403597116 CET497472212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 17:58:23.404225111 CET497472212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 17:58:32.204036951 CET497482212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 17:58:35.217572927 CET497482212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 17:58:41.233699083 CET497482212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 17:58:50.372756958 CET497492212192.168.2.3105.112.106.128
                                                                                        Jan 12, 2021 17:58:53.375335932 CET497492212192.168.2.3105.112.106.128
                                                                                        Jan 12, 2021 17:58:59.391510963 CET497492212192.168.2.3105.112.106.128
                                                                                        Jan 12, 2021 17:59:08.496875048 CET497502212192.168.2.3105.112.106.128
                                                                                        Jan 12, 2021 17:59:11.509463072 CET497502212192.168.2.3105.112.106.128
                                                                                        Jan 12, 2021 17:59:17.523021936 CET497502212192.168.2.3105.112.106.128
                                                                                        Jan 12, 2021 17:59:26.786813021 CET497512212192.168.2.3105.112.106.128
                                                                                        Jan 12, 2021 17:59:29.790956974 CET497512212192.168.2.3105.112.106.128
                                                                                        Jan 12, 2021 17:59:35.819057941 CET497512212192.168.2.3105.112.106.128
                                                                                        Jan 12, 2021 17:59:45.027111053 CET497522212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 17:59:48.041292906 CET497522212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 17:59:54.041799068 CET497522212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 18:00:03.215517044 CET497532212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 18:00:06.214715004 CET497532212192.168.2.3185.157.160.233
                                                                                        Jan 12, 2021 18:00:12.230786085 CET497532212192.168.2.3185.157.160.233

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Jan 12, 2021 17:56:19.326241970 CET5754453192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:19.374783993 CET53575448.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:27.161595106 CET5598453192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:27.212310076 CET53559848.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:28.614533901 CET6418553192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:28.662377119 CET53641858.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:35.725056887 CET6511053192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:35.773153067 CET53651108.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:36.903487921 CET5836153192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:36.951467991 CET53583618.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:38.042745113 CET6349253192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:38.093849897 CET53634928.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:48.021518946 CET6083153192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:48.072380066 CET53608318.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:50.303359985 CET6010053192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:50.362955093 CET53601008.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:51.252808094 CET5319553192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:51.301140070 CET53531958.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:52.621669054 CET5014153192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:52.672514915 CET53501418.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:53.915350914 CET5302353192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:53.963336945 CET53530238.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:55.177421093 CET4956353192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:55.225336075 CET53495638.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:56.250422955 CET5135253192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:56.298249006 CET53513528.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:56.648761034 CET5934953192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:56.696661949 CET53593498.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:57.866127968 CET5708453192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:57.914181948 CET53570848.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:56:59.723042011 CET5882353192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:56:59.770898104 CET53588238.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:01.246870995 CET5756853192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:01.294780016 CET53575688.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:03.056180000 CET5054053192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:03.106991053 CET53505408.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:04.783117056 CET5436653192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:04.843293905 CET53543668.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:08.200357914 CET5303453192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:08.248420000 CET53530348.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:22.162250042 CET5776253192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:22.218539000 CET53577628.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:22.741422892 CET5543553192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:22.797660112 CET53554358.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:23.248693943 CET5071353192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:23.313009024 CET53507138.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:23.402879000 CET5613253192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:23.453833103 CET53561328.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:23.907932997 CET5898753192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:23.955647945 CET53589878.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:24.432678938 CET5657953192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:24.489090919 CET53565798.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:25.026547909 CET6063353192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:25.134965897 CET53606338.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:25.699340105 CET6129253192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:25.760802984 CET53612928.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:26.653865099 CET6361953192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:26.710376978 CET53636198.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:27.737202883 CET6493853192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:27.785126925 CET53649388.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:28.234627008 CET6194653192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:28.293788910 CET53619468.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:57:35.274568081 CET6491053192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:57:35.332288027 CET53649108.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:58:04.817537069 CET5212353192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:58:04.868258953 CET53521238.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:58:09.297847033 CET5613053192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:58:09.373827934 CET53561308.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:58:50.179835081 CET5633853192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:58:50.353128910 CET53563388.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:59:08.320486069 CET5942053192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:59:08.493628979 CET53594208.8.8.8192.168.2.3
                                                                                        Jan 12, 2021 17:59:26.725831985 CET5878453192.168.2.38.8.8.8
                                                                                        Jan 12, 2021 17:59:26.784532070 CET53587848.8.8.8192.168.2.3

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                        Jan 12, 2021 17:58:50.179835081 CET192.168.2.38.8.8.80xbfb1Standard query (0)annapro.linkpc.netA (IP address)IN (0x0001)
                                                                                        Jan 12, 2021 17:59:08.320486069 CET192.168.2.38.8.8.80x3dStandard query (0)annapro.linkpc.netA (IP address)IN (0x0001)
                                                                                        Jan 12, 2021 17:59:26.725831985 CET192.168.2.38.8.8.80x496cStandard query (0)annapro.linkpc.netA (IP address)IN (0x0001)

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                        Jan 12, 2021 17:58:50.353128910 CET8.8.8.8192.168.2.30xbfb1No error (0)annapro.linkpc.net105.112.106.128A (IP address)IN (0x0001)
                                                                                        Jan 12, 2021 17:59:08.493628979 CET8.8.8.8192.168.2.30x3dNo error (0)annapro.linkpc.net105.112.106.128A (IP address)IN (0x0001)
                                                                                        Jan 12, 2021 17:59:26.784532070 CET8.8.8.8192.168.2.30x496cNo error (0)annapro.linkpc.net105.112.106.128A (IP address)IN (0x0001)

                                                                                        Code Manipulations

                                                                                        Statistics

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Start time:17:56:24
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\Desktop\Doc#6620200947535257653.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\Desktop\Doc#6620200947535257653.exe'
                                                                                        Imagebase:0xe70000
                                                                                        File size:5468672 bytes
                                                                                        MD5 hash:6618B8298100D5FB25D23B498A33D492
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Reputation:low

                                                                                        General

                                                                                        Start time:17:57:10
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe'
                                                                                        Imagebase:0xd10000
                                                                                        File size:5468672 bytes
                                                                                        MD5 hash:6618B8298100D5FB25D23B498A33D492
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        Reputation:low

                                                                                        General

                                                                                        Start time:17:57:47
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                        Imagebase:0x880000
                                                                                        File size:42080 bytes
                                                                                        MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.700402304.00000000052E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000017.00000002.700402304.00000000052E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 0%, Metadefender, Browse
                                                                                        • Detection: 0%, ReversingLabs
                                                                                        Reputation:moderate

                                                                                        General

                                                                                        Start time:17:58:01
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
                                                                                        Imagebase:0x920000
                                                                                        File size:78336 bytes
                                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Antivirus matches:
                                                                                        • Detection: 3%, Metadefender, Browse
                                                                                        • Detection: 0%, ReversingLabs
                                                                                        Reputation:low

                                                                                        General

                                                                                        Start time:17:58:12
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
                                                                                        Imagebase:0x8b0000
                                                                                        File size:78336 bytes
                                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:low

                                                                                        General

                                                                                        Start time:17:58:17
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
                                                                                        Imagebase:0xdd0000
                                                                                        File size:78336 bytes
                                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:low

                                                                                        General

                                                                                        Start time:17:58:29
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
                                                                                        Imagebase:0xec0000
                                                                                        File size:78336 bytes
                                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:low

                                                                                        General

                                                                                        Start time:17:58:35
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
                                                                                        Imagebase:0x270000
                                                                                        File size:78336 bytes
                                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:low

                                                                                        General

                                                                                        Start time:17:58:46
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
                                                                                        Imagebase:0xff0000
                                                                                        File size:78336 bytes
                                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:low

                                                                                        General

                                                                                        Start time:17:58:52
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
                                                                                        Imagebase:0xbd0000
                                                                                        File size:78336 bytes
                                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:low

                                                                                        General

                                                                                        Start time:17:59:04
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
                                                                                        Imagebase:0xb50000
                                                                                        File size:78336 bytes
                                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:low

                                                                                        General

                                                                                        Start time:17:59:10
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
                                                                                        Imagebase:0xb10000
                                                                                        File size:78336 bytes
                                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:low

                                                                                        General

                                                                                        Start time:17:59:30
                                                                                        Start date:12/01/2021
                                                                                        Path:C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
                                                                                        Imagebase:0xf70000
                                                                                        File size:78336 bytes
                                                                                        MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:.Net C# or VB.NET
                                                                                        Reputation:low

                                                                                        Disassembly

                                                                                        Code Analysis

                                                                                        Reset < >