Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report order-181289654312464648.exe

Overview

General Information

Sample Name:order-181289654312464648.exe
Analysis ID:339042
MD5:28da42c2cd57e51cb8ea7df263802924
SHA1:81c980f2cda9b42b0b8bf50c7128cc88afd942fd
SHA256:2d564ae361eb499ca493273e9fcfb88546105c88293c7633a7e1580a435cee9f
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • order-181289654312464648.exe (PID: 5964 cmdline: 'C:\Users\user\Desktop\order-181289654312464648.exe' MD5: 28DA42C2CD57E51CB8EA7DF263802924)
    • fdcgjhjyuyihdastagghejh.exe (PID: 6692 cmdline: 'C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe' MD5: 28DA42C2CD57E51CB8EA7DF263802924)
      • AddInProcess32.exe (PID: 4316 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • fdexedxfuuyytwq.exe (PID: 5168 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 5188 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 5688 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 3564 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 1048 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 5044 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 6328 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 6816 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 6880 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 6708 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 6800 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 5504 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 6124 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 6892 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 2792 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 6936 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 7120 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.157.162.81"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x8ba5:$x1: NanoCore.ClientPluginHost
    • 0x8bd2:$x2: IClientNetworkHost
    0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x8ba5:$x2: NanoCore.ClientPluginHost
    • 0x9b74:$s2: FileCommand
    • 0xe576:$s4: PipeCreated
    • 0x8bbf:$s5: IClientLoggingHost
    Click to see the 66 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    15.2.AddInProcess32.exe.6bc0000.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    15.2.AddInProcess32.exe.6bc0000.8.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2dbb:$x2: NanoCore.ClientPluginHost
    • 0x4c6b:$s4: PipeCreated
    15.2.AddInProcess32.exe.6ca0000.18.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1d3db:$x1: NanoCore.ClientPluginHost
    • 0x1d3f5:$x2: IClientNetworkHost
    15.2.AddInProcess32.exe.6ca0000.18.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1d3db:$x2: NanoCore.ClientPluginHost
    • 0x20718:$s4: PipeCreated
    • 0x1d3c8:$s5: IClientLoggingHost
    15.2.AddInProcess32.exe.6c60000.15.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x39eb:$x1: NanoCore.ClientPluginHost
    • 0x3a24:$x2: IClientNetworkHost
    Click to see the 51 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 4316, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: AddInProcess32.exe.4316.15.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.157.162.81"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeVirustotal: Detection: 7%Perma Link
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: order-181289654312464648.exeJoe Sandbox ML: detected
    Source: 15.2.AddInProcess32.exe.5c00000.6.unpackAvira: Label: TR/NanoCore.fadte
    Source: 15.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: order-181289654312464648.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: order-181289654312464648.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 0000000F.00000000.391348657.00000000006A2000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 4x nop then jmp 027EF56Eh0_2_027EED98
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 4x nop then jmp 031DF56Eh13_2_031DED98
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]15_2_060FB031
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]15_2_06D01F10
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]15_2_06D01F20
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 02B00799h19_2_02B00560
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 02B00799h19_2_02B00551
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 01890799h22_2_01890560
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 01890799h22_2_01890551
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 00DD0799h23_2_00DD0560
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 00DD0799h23_2_00DD0551
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 00FE0799h24_2_00FE0560
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 00FE0799h24_2_00FE0552

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorIPs: 185.157.162.81
    Source: global trafficTCP traffic: 192.168.2.3:49741 -> 185.157.162.81:40700
    Source: global trafficTCP traffic: 192.168.2.3:49747 -> 185.157.161.86:40700
    Source: Joe Sandbox ViewIP Address: 185.157.162.81 185.157.162.81
    Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownDNS traffic detected: queries for: nanopc.linkpc.net
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616518111.0000000001789000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp3
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616518111.0000000001789000.00000004.00000040.sdmpString found in binary or memory: http://ns.ado/Ident
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.614681646.000000000157B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: AddInProcess32.exe, 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.620423784.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.619550033.0000000003C3E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.AddInProcess32.exe.6bc0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6ca0000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c10000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6ce0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c50000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6ce0000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6bd0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c20000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.51a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c90000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c90000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c20000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6bc0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c30000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.AddInProcess32.exe.6c30000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c40000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6ca0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6bd0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: order-181289654312464648.exe
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE3D68 CreateProcessAsUserW,13_2_05AE3D68
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EBB690_2_027EBB69
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027E99410_2_027E9941
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027ED6280_2_027ED628
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027E76100_2_027E7610
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027E3EF80_2_027E3EF8
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EA4380_2_027EA438
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027E04E80_2_027E04E8
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EF5980_2_027EF598
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EED980_2_027EED98
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EF5880_2_027EF588
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE2BC013_2_05AE2BC0
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE057013_2_05AE0570
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE0CA013_2_05AE0CA0
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD63AB13_2_05AD63AB
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD48A213_2_05AD48A2
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE228013_2_05AE2280
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE36F013_2_05AE36F0
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE1E0813_2_05AE1E08
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DBB6913_2_031DBB69
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031D994313_2_031D9943
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031D761013_2_031D7610
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DD62813_2_031DD628
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031D3EF813_2_031D3EF8
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DF59813_2_031DF598
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DED9813_2_031DED98
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DA43813_2_031DA438
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031D04E813_2_031D04E8
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DF58813_2_031DF588
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_006A205015_2_006A2050
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_029FE48015_2_029FE480
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_029FE47115_2_029FE471
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_029FBBD415_2_029FBBD4
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_0506F5F815_2_0506F5F8
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_0506978815_2_05069788
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_0506A58015_2_0506A580
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_060FF4C015_2_060FF4C0
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_060F81C015_2_060F81C0
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_060F8E9615_2_060F8E96
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_060F8DD815_2_060F8DD8
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D0348015_2_06D03480
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D0234015_2_06D02340
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D0A0C815_2_06D0A0C8
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D0004015_2_06D00040
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D0A99815_2_06D0A998
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D0092015_2_06D00920
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D0359E15_2_06D0359E
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D09D8015_2_06D09D80
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D000FE15_2_06D000FE
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06F1099015_2_06F10990
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
    Source: order-181289654312464648.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: fdcgjhjyuyihdastagghejh.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: order-181289654312464648.exe, 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs order-181289654312464648.exe
    Source: order-181289654312464648.exe, 00000000.00000002.316232468.00000000051A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs order-181289654312464648.exe
    Source: order-181289654312464648.exe, 00000000.00000002.316201203.0000000005150000.00000002.00000001.sdmpBinary or memory string: originalfilename vs order-181289654312464648.exe
    Source: order-181289654312464648.exe, 00000000.00000002.316201203.0000000005150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs order-181289654312464648.exe
    Source: order-181289654312464648.exe, 00000000.00000002.316495486.0000000005B50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs order-181289654312464648.exe
    Source: order-181289654312464648.exe, 00000000.00000002.314823666.00000000039C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs order-181289654312464648.exe
    Source: order-181289654312464648.exeBinary or memory string: OriginalFilenamehugefrssaw.exeH vs order-181289654312464648.exe
    Source: order-181289654312464648.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.620423784.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.619550033.0000000003C3E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.AddInProcess32.exe.6bc0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6bc0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6ca0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6ca0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c10000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c10000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6ce0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6ce0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c50000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c50000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6ce0000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6ce0000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6bd0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6bd0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c20000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c20000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.51a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.51a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c90000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c90000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c90000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c90000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c20000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c20000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6bc0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6bc0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c30000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c30000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.AddInProcess32.exe.6c30000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c30000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c40000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c40000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6ca0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6ca0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6bd0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6bd0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: classification engineClassification label: mal100.troj.evad.winEXE@41/29@1/3
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdcgjhjyuyihdastagghejh.lnkJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ebbd9300-ed31-4d29-88d8-4f7b7a7f8653}
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
    Source: order-181289654312464648.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\order-181289654312464648.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile read: C:\Users\user\Desktop\order-181289654312464648.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\order-181289654312464648.exe 'C:\Users\user\Desktop\order-181289654312464648.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe 'C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess created: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe 'C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: unknown unknown
    Source: C:\Users\user\Desktop\order-181289654312464648.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: order-181289654312464648.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: order-181289654312464648.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: order-181289654312464648.exeStatic file information: File size 5815808 > 1048576
    Source: order-181289654312464648.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x55fe00
    Source: order-181289654312464648.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 0000000F.00000000.391348657.00000000006A2000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Binary contains a suspicious time stampShow sources
    Source: initial sampleStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD05E6 pushfd ; iretd 13_2_05AD0613
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD4B71 push es; iretd 13_2_05AD5094
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD4E9A push es; iretd 13_2_05AD5094
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD0A2A push ds; ret 13_2_05AD0A51
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_029F4450 push FFFFFF89h; mov dword ptr [esp], eax15_2_029F440A
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_050669F8 pushad ; retf 15_2_050669F9
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_060FC12D push es; iretd 15_2_060FC1FC
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_060FC1FD push es; iretd 15_2_060FC200
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D07E2C pushfd ; iretd 15_2_06D07E32
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D0F4F3 push B406CFCBh; retf 15_2_06D0F4F9
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D08479 pushfd ; iretd 15_2_06D0847A
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D085DC pushfd ; iretd 15_2_06D085DE
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D08538 pushfd ; iretd 15_2_06D0853A
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D082B8 pushfd ; iretd 15_2_06D082BA
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D083A1 pushfd ; iretd 15_2_06D083A2
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D08075 pushfd ; iretd 15_2_06D08076
    Source: fdexedxfuuyytwq.exe.13.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: fdexedxfuuyytwq.exe.13.dr, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: fdexedxfuuyytwq.exe.13.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: fdexedxfuuyytwq.exe.13.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: fdexedxfuuyytwq.exe.13.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 19.0.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 19.0.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 19.0.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 19.0.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 19.0.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 19.2.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 19.2.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 19.2.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 19.2.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 19.2.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 22.2.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 22.2.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 22.2.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 22.2.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 22.2.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 22.0.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 22.0.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 22.0.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 22.0.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 22.0.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 23.2.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 23.2.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 23.2.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 23.2.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 23.2.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 23.0.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 23.0.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 23.0.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 23.0.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 23.0.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 24.2.fdexedxfuuyytwq.exe.740000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 24.2.fdexedxfuuyytwq.exe.740000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 24.2.fdexedxfuuyytwq.exe.740000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 24.2.fdexedxfuuyytwq.exe.740000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 24.2.fdexedxfuuyytwq.exe.740000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile created: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeJump to dropped file
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeFile created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeJump to dropped file
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdcgjhjyuyihdastagghejh.lnkJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdcgjhjyuyihdastagghejh.lnkJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (6).png
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile opened: C:\Users\user\Desktop\order-181289654312464648.exe\:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeFile opened: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe\:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Users\user\Desktop\order-181289654312464648.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\order-181289654312464648.exeWindow / User API: threadDelayed 1742Jump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeWindow / User API: threadDelayed 8032Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeWindow / User API: threadDelayed 663Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeWindow / User API: threadDelayed 9132Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 1765Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 7880Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: foregroundWindowGot 490Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: foregroundWindowGot 512Jump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exe TID: 1928Thread sleep time: -15679732462653109s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exe TID: 1928Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exe TID: 4712Thread sleep count: 1742 > 30Jump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exe TID: 4712Thread sleep count: 8032 > 30Jump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exe TID: 1928Thread sleep count: 59 > 30Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe TID: 6924Thread sleep time: -13835058055282155s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe TID: 6924Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe TID: 6932Thread sleep count: 663 > 30Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe TID: 6932Thread sleep count: 9132 > 30Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe TID: 6924Thread sleep count: 48 > 30Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 3060Thread sleep time: -7378697629483816s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 5140Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 5492Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 2288Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 6524Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 2140Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 3236Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 3688Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 3064Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 6636Thread sleep time: -922337203685477s >= -30000s
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: VMware
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vmware svga
    Source: order-181289654312464648.exe, 00000000.00000002.316232468.00000000051A0000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.624653683.00000000064C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vmware
    Source: order-181289654312464648.exe, 00000000.00000002.314823666.00000000039C1000.00000004.00000001.sdmp, fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
    Source: order-181289654312464648.exe, 00000000.00000002.314823666.00000000039C1000.00000004.00000001.sdmp, fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
    Source: order-181289654312464648.exe, 00000000.00000002.314823666.00000000039C1000.00000004.00000001.sdmp, fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vmusrvc
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vmsrvc
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vmtools
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
    Source: order-181289654312464648.exe, 00000000.00000002.316232468.00000000051A0000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.624653683.00000000064C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: order-181289654312464648.exe, 00000000.00000002.316232468.00000000051A0000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.624653683.00000000064C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
    Source: order-181289654312464648.exe, 00000000.00000002.316232468.00000000051A0000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.624653683.00000000064C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: AddInProcess32.exe, 0000000F.00000003.449233955.0000000000BF8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\order-181289654312464648.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 402000Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 420000Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 422000Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 95F008Jump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess created: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe 'C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: unknown unknown
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616632371.0000000001D20000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp, fdexedxfuuyytwq.exe, 00000016.00000002.608864585.0000000001D80000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000018.00000002.609921970.0000000001780000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001B.00000002.609769452.0000000001D60000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001D.00000002.608183259.0000000001070000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001F.00000002.611380730.0000000001D70000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000021.00000002.611387974.0000000000F90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000023.00000002.608440755.0000000001D90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000026.00000002.609963291.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616632371.0000000001D20000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.611524169.0000000001530000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000016.00000002.608864585.0000000001D80000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000018.00000002.609921970.0000000001780000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001B.00000002.609769452.0000000001D60000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001D.00000002.608183259.0000000001070000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001F.00000002.611380730.0000000001D70000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000021.00000002.611387974.0000000000F90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000023.00000002.608440755.0000000001D90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000026.00000002.609963291.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616632371.0000000001D20000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.611524169.0000000001530000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000016.00000002.608864585.0000000001D80000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000018.00000002.609921970.0000000001780000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001B.00000002.609769452.0000000001D60000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001D.00000002.608183259.0000000001070000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001F.00000002.611380730.0000000001D70000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000021.00000002.611387974.0000000000F90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000023.00000002.608440755.0000000001D90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000026.00000002.609963291.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: AddInProcess32.exe, 0000000F.00000002.624527365.00000000060DD000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
    Source: AddInProcess32.exe, 0000000F.00000002.612718813.0000000002D57000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$+l8`
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616632371.0000000001D20000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.611524169.0000000001530000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000016.00000002.608864585.0000000001D80000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000018.00000002.609921970.0000000001780000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001B.00000002.609769452.0000000001D60000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001D.00000002.608183259.0000000001070000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001F.00000002.611380730.0000000001D70000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000021.00000002.611387974.0000000000F90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000023.00000002.608440755.0000000001D90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000026.00000002.609963291.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: AddInProcess32.exe, 0000000F.00000002.624363068.0000000005B7C000.00000004.00000001.sdmpBinary or memory string: Program Manager4
    Source: AddInProcess32.exe, 0000000F.00000002.624859083.00000000067EC000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: C:\Users\user\Desktop\order-181289654312464648.exeQueries volume information: C:\Users\user\Desktop\order-181289654312464648.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeQueries volume information: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D011A0 GetSystemTimes,15_2_06D011A0
    Source: C:\Users\user\Desktop\order-181289654312464648.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: order-181289654312464648.exe, 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: AddInProcess32.exe, 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1Windows Management Instrumentation1Startup Items1Startup Items1Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobValid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Registry Run Keys / Startup Folder2Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Process Injection312Software Packing11NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder2Timestomp1LSA SecretsSecurity Software Discovery121SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsVirtualization/Sandbox Evasion3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion3/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection312Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 339042 Sample: order-181289654312464648.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->61 63 8 other signatures 2->63 8 order-181289654312464648.exe 6 2->8         started        process3 file4 41 C:\Users\user\...\fdcgjhjyuyihdastagghejh.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->43 dropped 45 fdcgjhjyuyihdastag...exe:Zone.Identifier, ASCII 8->45 dropped 47 C:\Users\...\order-181289654312464648.exe.log, ASCII 8->47 dropped 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->69 12 fdcgjhjyuyihdastagghejh.exe 5 8->12         started        signatures5 process6 file7 49 C:\Users\user\AppData\...\fdexedxfuuyytwq.exe, PE32 12->49 dropped 71 Machine Learning detection for dropped file 12->71 73 Writes to foreign memory regions 12->73 75 Allocates memory in foreign processes 12->75 77 2 other signatures 12->77 16 AddInProcess32.exe 9 12->16         started        21 fdexedxfuuyytwq.exe 2 12->21         started        23 fdexedxfuuyytwq.exe 12->23         started        25 7 other processes 12->25 signatures8 process9 dnsIp10 51 185.157.162.81, 40700, 49741, 49743 OBE-EUROPEObenetworkEuropeSE Sweden 16->51 53 nanopc.linkpc.net 185.157.161.86, 40700, 49747 OBE-EUROPEObenetworkEuropeSE Sweden 16->53 39 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 16->39 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->65 67 Multi AV Scanner detection for dropped file 21->67 27 fdexedxfuuyytwq.exe 21->27         started        55 192.168.2.1 unknown unknown 23->55 29 fdexedxfuuyytwq.exe 23->29         started        31 fdexedxfuuyytwq.exe 25->31         started        33 fdexedxfuuyytwq.exe 25->33         started        35 fdexedxfuuyytwq.exe 25->35         started        37 3 other processes 25->37 file11 signatures12 process13

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    order-181289654312464648.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe7%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe3%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe7%ReversingLabs

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    15.2.AddInProcess32.exe.5c00000.6.unpack100%AviraTR/NanoCore.fadteDownload File
    15.2.AddInProcess32.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://iptc.tc4xmp30%Avira URL Cloudsafe
    http://ns.ado/Ident0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    nanopc.linkpc.net
    		185.157.161.86
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://iptc.tc4xmp3fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616518111.0000000001789000.00000004.00000040.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://ns.ado/Identfdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616518111.0000000001789000.00000004.00000040.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      185.157.162.81
      		unknownSweden
      		197595OBE-EUROPEObenetworkEuropeSEtrue
      185.157.161.86
      		unknownSweden
      		197595OBE-EUROPEObenetworkEuropeSEfalse

      Private

      IP
      192.168.2.1

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:339042
      Start date:13.01.2021
      Start time:10:15:43
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 14m 33s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:order-181289654312464648.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:40
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@41/29@1/3
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 2.2% (good quality ratio 1.8%)
      • Quality average: 67.9%
      • Quality standard deviation: 33%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 115
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
      • Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.255.188.83, 23.210.248.85, 51.104.139.180, 92.122.213.194, 92.122.213.247, 2.20.143.16, 2.20.142.210, 2.20.142.209, 51.103.5.159, 20.54.26.129, 51.11.168.160, 20.190.129.2, 40.126.1.128, 40.126.1.166, 20.190.129.133, 20.190.129.128, 40.126.1.145, 40.126.1.130, 20.190.129.160, 52.155.217.156
      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      10:16:39API Interceptor180x Sleep call for process: order-181289654312464648.exe modified
      10:16:43AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdcgjhjyuyihdastagghejh.lnk
      10:17:29API Interceptor194x Sleep call for process: fdcgjhjyuyihdastagghejh.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      185.157.162.8189GsVCJAXv.exeGet hashmaliciousBrowse
        spetsifikatsiya.xlsGet hashmaliciousBrowse
          dpR3o92MH1.exeGet hashmaliciousBrowse
            0qNSJXB8nG.exeGet hashmaliciousBrowse
              7w7LwD8bqe.exeGet hashmaliciousBrowse
                ZZB5zuv1X0.exeGet hashmaliciousBrowse
                  spetsifikatsiya.xlsGet hashmaliciousBrowse
                    ptoovvKZ80.exeGet hashmaliciousBrowse
                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                        EnJsj6nuD4.exeGet hashmaliciousBrowse
                          zlkcd7HSQp.exeGet hashmaliciousBrowse
                            machine.xlsGet hashmaliciousBrowse
                              qdnLoWn1E8.exeGet hashmaliciousBrowse
                                ogYg79jWpR.exeGet hashmaliciousBrowse
                                  ORDER PMX-PT-2001 STOCK+NOVO.exeGet hashmaliciousBrowse
                                    DHL_10177_R293_DOCUMENT.exeGet hashmaliciousBrowse
                                      Order_List_PO# 081928.pdf.exeGet hashmaliciousBrowse
                                        CF09550WJ901.pdf.exeGet hashmaliciousBrowse
                                          Order List PO# 081927.pdf.exeGet hashmaliciousBrowse
                                            Doc#662020094753525765301499.pdf.exeGet hashmaliciousBrowse
                                              185.157.161.86Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                                50404868-c352-422f-a608-7fd64b335eec.exeGet hashmaliciousBrowse
                                                  74725794.pdf.exeGet hashmaliciousBrowse
                                                    Order_List_PO# 0819289.exeGet hashmaliciousBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      nanopc.linkpc.netORDER PMX-PT-2001 STOCK+NOVO.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      DHL_10177_R293_DOCUMENT.exeGet hashmaliciousBrowse
                                                      • 105.112.101.201

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      OBE-EUROPEObenetworkEuropeSEDoc#6620200947535257653.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      Scan_order.exeGet hashmaliciousBrowse
                                                      • 185.157.161.61
                                                      inrfzFzDHR.exeGet hashmaliciousBrowse
                                                      • 45.148.16.42
                                                      SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                                      • 185.157.161.61
                                                      New PO.docGet hashmaliciousBrowse
                                                      • 185.157.161.61
                                                      89GsVCJAXv.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      dpR3o92MH1.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      0qNSJXB8nG.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                                      • 185.157.161.86
                                                      7w7LwD8bqe.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      ZZB5zuv1X0.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      ptoovvKZ80.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      EnJsj6nuD4.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      AdviceSlip.xlsGet hashmaliciousBrowse
                                                      • 217.64.149.169
                                                      DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      OBE-EUROPEObenetworkEuropeSEDoc#6620200947535257653.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      Scan_order.exeGet hashmaliciousBrowse
                                                      • 185.157.161.61
                                                      inrfzFzDHR.exeGet hashmaliciousBrowse
                                                      • 45.148.16.42
                                                      SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                                      • 185.157.161.61
                                                      New PO.docGet hashmaliciousBrowse
                                                      • 185.157.161.61
                                                      89GsVCJAXv.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      dpR3o92MH1.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      0qNSJXB8nG.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                                      • 185.157.161.86
                                                      7w7LwD8bqe.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      ZZB5zuv1X0.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      ptoovvKZ80.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      EnJsj6nuD4.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      AdviceSlip.xlsGet hashmaliciousBrowse
                                                      • 217.64.149.169
                                                      DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      C:\Users\user\AppData\Local\Temp\AddInProcess32.exePO_60577.exeGet hashmaliciousBrowse
                                                        IMG_73344332#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                                          Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                                                            Doc#6620200947535257653.exeGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Generic.mg.15368412abd71685.exeGet hashmaliciousBrowse
                                                                RT-05723.exeGet hashmaliciousBrowse
                                                                  Dekont.pdf.exeGet hashmaliciousBrowse
                                                                    cFAWQ1mv83.exeGet hashmaliciousBrowse
                                                                      I7313Y5Rr2.exeGet hashmaliciousBrowse
                                                                        SWIFT-COPY Payment advice3243343.exeGet hashmaliciousBrowse
                                                                          bWVvaTptgL.exeGet hashmaliciousBrowse
                                                                            umOXxQ9PFS.exeGet hashmaliciousBrowse
                                                                              BL,IN&PL.exeGet hashmaliciousBrowse
                                                                                ORDER #0554.exeGet hashmaliciousBrowse
                                                                                  Dekont.pdf.exeGet hashmaliciousBrowse
                                                                                    IMG_84755643#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                                                                      8WLxD8uxRN.exeGet hashmaliciousBrowse
                                                                                        Quotation.exeGet hashmaliciousBrowse
                                                                                          e-dekont.html.exeGet hashmaliciousBrowse
                                                                                            Dekont.pdf.exeGet hashmaliciousBrowse
                                                                                              C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSecuriteInfo.com.Generic.mg.5a4b41327cabca49.exeGet hashmaliciousBrowse
                                                                                                SecuriteInfo.com.FileRepMalware.exeGet hashmaliciousBrowse
                                                                                                  TD-10057.exeGet hashmaliciousBrowse
                                                                                                    FedExAWB 772584418730.docGet hashmaliciousBrowse
                                                                                                      Doc#6620200947535257653.exeGet hashmaliciousBrowse
                                                                                                        TD-10057.docGet hashmaliciousBrowse
                                                                                                          ndSscoDob9.exeGet hashmaliciousBrowse
                                                                                                            SecuriteInfo.com.Generic.mg.15368412abd71685.exeGet hashmaliciousBrowse
                                                                                                              QL-0217.docGet hashmaliciousBrowse
                                                                                                                DXXJmIDl3C.exeGet hashmaliciousBrowse
                                                                                                                  0YdVJ6vqhO.exeGet hashmaliciousBrowse
                                                                                                                    RT-05723.exeGet hashmaliciousBrowse
                                                                                                                      RT-05723.docGet hashmaliciousBrowse
                                                                                                                        DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                                                                                          Order_1101201918_AUTECH.exeGet hashmaliciousBrowse

                                                                                                                            Created / dropped Files

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fdexedxfuuyytwq.exe.log
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1362
                                                                                                                            Entropy (8bit):5.343186145897752
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovj
                                                                                                                            MD5:1249251E90A1C28AB8F7235F30056DEB
                                                                                                                            SHA1:166BA6B64E9B0D9BA7B856334F7D7EC027030BA1
                                                                                                                            SHA-256:B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
                                                                                                                            SHA-512:FD880C5B12B22241F67139ABD09B99ACE7A4DD24635FC6B340A3E7C463E2AEF3FA68EF647352132934BC1F8CA134F46064049449ACB67954BEDDEA9AA9670885
                                                                                                                            Malicious:false
                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order-181289654312464648.exe.log
                                                                                                                            Process:C:\Users\user\Desktop\order-181289654312464648.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):1451
                                                                                                                            Entropy (8bit):5.345862727722058
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                                                                                                                            MD5:06F54CDBFEF62849AF5AE052722BD7B6
                                                                                                                            SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                                                                                                                            SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                                                                                                                            SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                                                                                                                            Malicious:true
                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                                                                            C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            Process:C:\Users\user\Desktop\order-181289654312464648.exe
                                                                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):42080
                                                                                                                            Entropy (8bit):6.2125074198825105
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
                                                                                                                            MD5:F2A47587431C466535F3C3D3427724BE
                                                                                                                            SHA1:90DF719241CE04828F0DD4D31D683F84790515FF
                                                                                                                            SHA-256:23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
                                                                                                                            SHA-512:E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                            Joe Sandbox View:
                                                                                                                            • Filename: PO_60577.exe, Detection: malicious, Browse
                                                                                                                            • Filename: IMG_73344332#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Doc#6620200947535257653.exe, Detection: malicious, Browse
                                                                                                                            • Filename: SecuriteInfo.com.Generic.mg.15368412abd71685.exe, Detection: malicious, Browse
                                                                                                                            • Filename: RT-05723.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                                                                            • Filename: cFAWQ1mv83.exe, Detection: malicious, Browse
                                                                                                                            • Filename: I7313Y5Rr2.exe, Detection: malicious, Browse
                                                                                                                            • Filename: SWIFT-COPY Payment advice3243343.exe, Detection: malicious, Browse
                                                                                                                            • Filename: bWVvaTptgL.exe, Detection: malicious, Browse
                                                                                                                            • Filename: umOXxQ9PFS.exe, Detection: malicious, Browse
                                                                                                                            • Filename: BL,IN&PL.exe, Detection: malicious, Browse
                                                                                                                            • Filename: ORDER #0554.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                                                                            • Filename: IMG_84755643#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse
                                                                                                                            • Filename: 8WLxD8uxRN.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Quotation.exe, Detection: malicious, Browse
                                                                                                                            • Filename: e-dekont.html.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................|w......H........#...Q...................u.......................................0..K........-..*..i....*...r...p.o....,....r...p.o....-..*.....o......o.....$...*.....o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o*....(+...o,.....&...(-....*.......3..@......R...s.....s....(....*:.(/.....}P...*J.{P....o0..
                                                                                                                            C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Process:C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):78336
                                                                                                                            Entropy (8bit):4.369296705546591
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:768:jlU4+MS3Fu0thSOV4GM0SuHk9Oh/1TRIWUk7NlfaNV9KQLxXXSv:l6o03IGMLuHk+Ck5lfaNP7xSv
                                                                                                                            MD5:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            SHA1:590D860B909804349E0CDC2F1662B37BD62F7463
                                                                                                                            SHA-256:2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                                                                                                                            SHA-512:518991B68496B3F8545E418CF9B345E0791E09CC20D177B8AA47E0ABA447AA55383C64F5BDACA39F2B061A5D08C16F2AD484AF8A9F238CA23AB081618FBA3AD3
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Virustotal, Detection: 7%, Browse
                                                                                                                            • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                            • Antivirus: ReversingLabs, Detection: 7%
                                                                                                                            Joe Sandbox View:
                                                                                                                            • Filename: SecuriteInfo.com.Generic.mg.5a4b41327cabca49.exe, Detection: malicious, Browse
                                                                                                                            • Filename: SecuriteInfo.com.FileRepMalware.exe, Detection: malicious, Browse
                                                                                                                            • Filename: TD-10057.exe, Detection: malicious, Browse
                                                                                                                            • Filename: FedExAWB 772584418730.doc, Detection: malicious, Browse
                                                                                                                            • Filename: Doc#6620200947535257653.exe, Detection: malicious, Browse
                                                                                                                            • Filename: TD-10057.doc, Detection: malicious, Browse
                                                                                                                            • Filename: ndSscoDob9.exe, Detection: malicious, Browse
                                                                                                                            • Filename: SecuriteInfo.com.Generic.mg.15368412abd71685.exe, Detection: malicious, Browse
                                                                                                                            • Filename: QL-0217.doc, Detection: malicious, Browse
                                                                                                                            • Filename: DXXJmIDl3C.exe, Detection: malicious, Browse
                                                                                                                            • Filename: 0YdVJ6vqhO.exe, Detection: malicious, Browse
                                                                                                                            • Filename: RT-05723.exe, Detection: malicious, Browse
                                                                                                                            • Filename: RT-05723.doc, Detection: malicious, Browse
                                                                                                                            • Filename: DHL_file 187652345643476245.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Order_1101201918_AUTECH.exe, Detection: malicious, Browse
                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y ................P..&...........D... ........@.. ....................................`..................................D..W....`..............................hD............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................D......H.......l....%......)....................................................0..6.......(8...t....&.(8...t....&......(8...t...................8;....8%.....(8...t....&.(8...t............:.....(8...t....:.....(8...t....:....(8...t....................................\:@....(8...t....&.)...&8.....(8...t....&(8...t....&.....:.......8x........:L...88....(8...t....&(8...t....&(8...t....&(8...t.....................:....8!.....(8...t....&......(8...t....&.....(8...t....:8.....(8...t....&.
                                                                                                                            C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.txt
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):72
                                                                                                                            Entropy (8bit):4.885154258886507
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:uVNWXp5cViEaKC5dVPF9OA1YnXVy:uVNWXp+NaZ5rPF9O2Ync
                                                                                                                            MD5:EACC6D9F7D6EFE25CB48137E7064F313
                                                                                                                            SHA1:1E767634BE3B749B6549F3101A09E2715859558B
                                                                                                                            SHA-256:DBDFB40802DF3D9FA9923C7186586AEAB2985126EFB203E78A7CE2B53546F6D8
                                                                                                                            SHA-512:0C3187B94CEFAAFD731D504E17D602D14A2819A68B239444BDA6135476F7EDCEC6B0A017E2762C59ADDAFDC405B884373A608CE3A9A9DB8087C62B6F330159CB
                                                                                                                            Malicious:false
                                                                                                                            Preview: 6692..C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe..7120..
                                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):232
                                                                                                                            Entropy (8bit):7.024371743172393
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                                                                                            MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                                                                                            SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                                                                                            SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                                                                                            SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                                                                                            Malicious:false
                                                                                                                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):8
                                                                                                                            Entropy (8bit):3.0
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:TOt:TOt
                                                                                                                            MD5:9DCCFC1428F275A4E2429AFEA104655B
                                                                                                                            SHA1:4C4AAC284536CFB553FEBE32DF9D4C8DAEB47741
                                                                                                                            SHA-256:F8026D5E1B4CA4035C68C75F13026580B0A5B39CC6663D238FC92FD2D139D359
                                                                                                                            SHA-512:E320E38E187436748EE236F6F11EEAF7C61DC9C14A96A271E97A3EF8B6F22DD9C79F783FF5F48CBBF5FE7A64E15F38B52AC817C088FABCE9FE4757236C78D887
                                                                                                                            Malicious:true
                                                                                                                            Preview: J=...H
                                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40
                                                                                                                            Entropy (8bit):5.153055907333276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                                                                                            MD5:4E5E92E2369688041CC82EF9650EDED2
                                                                                                                            SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                                                                                            SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                                                                                            SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                                                                                            Malicious:false
                                                                                                                            Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):327432
                                                                                                                            Entropy (8bit):7.99938831605763
                                                                                                                            Encrypted:true
                                                                                                                            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                                                                                            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                                                                                            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                                                                                            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                                                                                            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                                                                                            Malicious:false
                                                                                                                            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdcgjhjyuyihdastagghejh.lnk
                                                                                                                            Process:C:\Users\user\Desktop\order-181289654312464648.exe
                                                                                                                            File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1008
                                                                                                                            Entropy (8bit):3.2517421808078684
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:8wl06sXou41w/tz0/CSLMeI2DsAMPHAMYmO3qMJCHAM2gTCNfBT/v4t2Y+xIBjK:8Rf4eWLZ//7DPthJVpd7aB
                                                                                                                            MD5:FB516F578D9499D6DB698AE541F8FCCB
                                                                                                                            SHA1:E26C9B2F619BCD1216E1C17689392BAF50E202C9
                                                                                                                            SHA-256:7EA8400005E701A3C980DE2BAB4EE042A927863E50689A81F79BAEE90CCF72EA
                                                                                                                            SHA-512:EC1BF91EC555919605675732417D32E94B9C53AA063A6823042DD59010317C15EE0599C2BD3E5E4CC622226625E29E29B69E56C2BD7588124A0081D446B3761B
                                                                                                                            Malicious:false
                                                                                                                            Preview: L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................h.a.r.d.z.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.......2...........fdcgjhjyuyihdastagghejh.exe.h............................................f.d.c.g.j.h.j.y.u.y.i.h.d.a.s.t.a.g.g.h.e.j.h...e.x.e...*...*.....\.....\.....\.....\.....\.f.d.c.g.j.h.j.y.u.y.i.h.d.a.s.t.a.g.g.h.e.j.h...e.x.e.:.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.f.d.c.g.j.h.j.y.u.y.i.h.d.a.s.t.a.g.g.h.e.j.h...e.x.e.............y.............>.e.L.:..er.=y...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........
                                                                                                                            C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe
                                                                                                                            Process:C:\Users\user\Desktop\order-181289654312464648.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5815808
                                                                                                                            Entropy (8bit):7.8329710414512155
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:98304:3QRUDjYYo/PJhTLqj7tLS+5xZEU2ytc40Gk15GhYwfxK+gEwj7u/B:3QRUIzTLq75x+U/tc9GrhPAFOJ
                                                                                                                            MD5:28DA42C2CD57E51CB8EA7DF263802924
                                                                                                                            SHA1:81C980F2CDA9B42B0B8BF50C7128CC88AFD942FD
                                                                                                                            SHA-256:2D564AE361EB499CA493273E9FCFB88546105C88293C7633A7E1580A435CEE9F
                                                                                                                            SHA-512:594EF84101106F21760953B8DD2660CAA21FC6F08790B588875781B1233586A000CFAE1D3A3001A1221762A08F18705E401C5AF60F25D7E37032335346D9F828
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..9..................U...........V.. ........@.. ........................Y...........`.................................T.V.W.... V.J.....................X...................................................... ............... ..H............text.....U.. ....U................. ..`.rsrc...J.... V.......V.............@..@.reloc........X.......X.............@..B..................V.....H.......\.U..&......P....B...R.......................................... .........%.....(......... "........%.....(.........*...0....................................(....t.... ...H(:...t....&.N&..... ..j.(:...t...........................-.+..(....t....&.............-.....+J......-:.....(....t............ ...........(:...t.....(:...t....&......-.........(....t.... |-........(:...t....(....t..........(:...t....:p....(....t........\:....+w......(....t.....(....t........ ..c(:
                                                                                                                            C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe:Zone.Identifier
                                                                                                                            Process:C:\Users\user\Desktop\order-181289654312464648.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):26
                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                            Malicious:true
                                                                                                                            Preview: [ZoneTransfer]....ZoneId=0

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Entropy (8bit):7.8329710414512155
                                                                                                                            TrID:
                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                                            File name:order-181289654312464648.exe
                                                                                                                            File size:5815808
                                                                                                                            MD5:28da42c2cd57e51cb8ea7df263802924
                                                                                                                            SHA1:81c980f2cda9b42b0b8bf50c7128cc88afd942fd
                                                                                                                            SHA256:2d564ae361eb499ca493273e9fcfb88546105c88293c7633a7e1580a435cee9f
                                                                                                                            SHA512:594ef84101106f21760953b8dd2660caa21fc6f08790b588875781b1233586a000cfae1d3a3001a1221762a08f18705e401c5af60f25d7e37032335346d9f828
                                                                                                                            SSDEEP:98304:3QRUDjYYo/PJhTLqj7tLS+5xZEU2ytc40Gk15GhYwfxK+gEwj7u/B:3QRUIzTLq75x+U/tc9GrhPAFOJ
                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..9..................U...........V.. ........@.. ........................Y...........`................................

                                                                                                                            File Icon

                                                                                                                            Icon Hash:c6a9989ae8ccb6cc

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0x961cae
                                                                                                                            Entrypoint Section:.text
                                                                                                                            Digitally signed:false
                                                                                                                            Imagebase:0x400000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                                            Time Stamp:0x39BE9B63 [Tue Sep 12 21:08:51 2000 UTC]
                                                                                                                            TLS Callbacks:
                                                                                                                            CLR (.Net) Version:v4.0.30319
                                                                                                                            OS Version Major:4
                                                                                                                            OS Version Minor:0
                                                                                                                            File Version Major:4
                                                                                                                            File Version Minor:0
                                                                                                                            Subsystem Version Major:4
                                                                                                                            Subsystem Version Minor:0
                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x561c540x57.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x5620000x2ba4a.rsrc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x58e0000xc.reloc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            .text0x20000x55fcb40x55fe00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                            .rsrc0x5620000x2ba4a0x2bc00False0.236199776786data5.5567301511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .reloc0x58e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                            Resources

                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                            RT_ICON0x5622b00x39bcPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                            RT_ICON0x565c6c0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                                                            RT_ICON0x5764940x94a8data
                                                                                                                            RT_ICON0x57f93c0x5488data
                                                                                                                            RT_ICON0x584dc40x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 520093696
                                                                                                                            RT_ICON0x588fec0x25a8data
                                                                                                                            RT_ICON0x58b5940x10a8data
                                                                                                                            RT_ICON0x58c63c0x988data
                                                                                                                            RT_ICON0x58cfc40x468GLS_BINARY_LSB_FIRST
                                                                                                                            RT_GROUP_ICON0x58d42c0x84data
                                                                                                                            RT_VERSION0x58d4b00x3b0data
                                                                                                                            RT_MANIFEST0x58d8600x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                            Version Infos

                                                                                                                            DescriptionData
                                                                                                                            Translation0x0000 0x04b0
                                                                                                                            LegalCopyrightCopyright 2010 ?;BH8HG?:@DJDEDB753GC
                                                                                                                            Assembly Version1.0.0.0
                                                                                                                            InternalNamehugefrssaw.exe
                                                                                                                            FileVersion7.10.13.17
                                                                                                                            CompanyName?;BH8HG?:@DJDEDB753GC
                                                                                                                            Comments3:7=7B8D46?BJC<65<C>8?
                                                                                                                            ProductNameGJJ=2H538>53D9C4CD
                                                                                                                            ProductVersion7.10.13.17
                                                                                                                            FileDescriptionGJJ=2H538>53D9C4CD
                                                                                                                            OriginalFilenamehugefrssaw.exe

                                                                                                                            Network Behavior

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Jan 13, 2021 10:18:05.183847904 CET4974140700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:05.265274048 CET4070049741185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:05.772847891 CET4974140700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:05.858684063 CET4070049741185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:06.366697073 CET4974140700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:06.448652029 CET4070049741185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:10.541047096 CET4974340700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:10.624140024 CET4070049743185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:11.132726908 CET4974340700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:11.221738100 CET4070049743185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:11.726533890 CET4974340700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:11.816729069 CET4070049743185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:16.591576099 CET4974440700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:16.685046911 CET4070049744185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:17.195848942 CET4974440700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:17.294382095 CET4070049744185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:17.805157900 CET4974440700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:17.886883020 CET4070049744185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:22.147533894 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:22.430186033 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:22.430293083 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:22.464010000 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:22.758575916 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:22.758668900 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:23.191312075 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:23.191379070 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:23.605516911 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:23.633533955 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:23.958090067 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.070549965 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.083247900 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.083295107 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.083316088 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.083338976 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.083389044 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.083417892 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.083436966 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.083726883 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.085408926 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.087407112 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.087611914 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.089659929 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.090418100 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.090538025 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.357623100 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.357680082 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.357753992 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.359256983 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.361134052 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.361207962 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.362083912 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.362200022 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.362242937 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.362272978 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.363096952 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.363154888 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.365103960 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.366099119 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.366158009 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.368100882 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.369003057 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.369066000 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.390433073 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.391096115 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.391381979 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.392076969 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.395148993 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.395257950 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.396030903 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.398098946 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.398341894 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.399117947 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.400033951 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.400301933 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.629337072 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.630142927 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.630208969 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.631036997 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.633137941 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.633208990 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.634157896 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.636156082 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.636291027 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.637115002 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.646197081 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.646245956 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.646256924 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.646291018 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.646372080 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.651071072 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.651117086 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.651154041 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.651186943 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.651247978 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.651350975 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.651381016 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.677258968 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.677321911 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.677360058 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.677427053 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.677436113 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.677475929 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.683063030 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.683202028 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.683244944 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.683247089 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.683372021 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.683398962 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.683478117 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.683793068 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.695643902 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.695684910 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.695720911 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.695751905 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.695760965 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.696275949 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.708138943 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.709136963 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.709239960 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.711026907 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.712174892 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.712515116 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.714098930 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.715019941 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.715193987 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.717058897 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.718141079 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.718312025 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.719095945 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.729288101 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.729365110 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.730096102 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.730159998 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.730278969 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.910190105 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.911077976 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.911185026 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.921041012 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.922055006 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.922102928 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.922136068 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.922156096 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.922224045 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.922245979 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.931360960 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.931389093 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.931420088 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.931499958 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.931591034 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.956155062 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.957046032 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.957070112 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.959016085 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.959119081 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.961019039 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.966080904 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.967279911 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.970016003 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.971005917 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.971102953 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.971131086 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.971153021 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.971187115 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.971204042 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.988141060 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.988230944 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.990063906 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.991066933 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.991200924 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.993031025 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.993951082 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.994260073 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.995999098 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.998079062 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.998460054 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.999021053 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.000051975 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.001295090 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.002058029 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.003087997 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.004930973 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.005454063 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.006005049 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.006270885 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.008032084 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.009310961 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.009618998 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.030215025 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.031478882 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.032130957 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.032556057 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.034065008 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.034674883 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.036062956 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.037115097 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.037338972 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.039076090 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.048116922 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.048175097 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.048218966 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.048336983 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.048415899 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.048456907 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.049093962 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.053941011 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.190359116 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.191180944 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.192126989 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.192163944 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.194062948 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.195188999 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.195225954 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.197207928 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.197581053 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.200058937 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.201103926 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.201282024 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.202126026 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.204015017 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.204402924 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.238333941 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.239231110 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.239434958 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.242089033 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.244287968 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.245326042 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.246141911 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.247076988 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.247189045 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.249074936 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.268301964 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.268819094 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.278229952 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.278285980 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.278325081 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.278364897 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.278403997 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.278470039 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.287127018 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.287194014 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.287236929 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.287272930 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.287385941 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.287417889 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.288045883 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.309243917 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.309314013 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.311183929 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.312203884 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.312309980 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.314052105 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.319103003 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.321398973 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.328241110 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.330146074 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.330199003 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.332145929 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.333098888 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.333137989 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.333180904 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.337063074 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.340905905 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.352269888 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.361139059 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.361339092 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.362210035 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.362375021 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.362489939 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.362495899 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.365228891 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.365341902 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.366398096 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.368093014 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.369108915 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.370465994 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.390230894 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.390979052 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.391107082 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.446706057 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.469311953 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.470024109 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.472203970 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.472244024 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.473186970 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.473316908 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.476115942 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.478354931 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.480230093 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.481113911 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.481173038 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.481369972 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.483037949 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.485172987 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.485460997 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.486179113 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.488055944 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.488420010 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.489095926 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.510205984 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.510351896 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.513786077 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.514446974 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.514616966 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.523123980 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.523184061 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.523288012 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.523389101 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.523484945 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.524754047 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.529151917 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.529196978 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.529236078 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.529273987 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.529381037 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.529664993 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.548399925 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.549101114 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.553056955 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.559190989 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.559252024 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.559467077 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.563107967 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.563168049 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.563220024 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.563270092 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.563401937 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.563424110 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.564065933 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.573170900 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.573251009 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.573312998 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.573349953 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.573405027 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.588237047 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.597052097 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.597233057 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.599009037 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.599106073 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.599406958 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.602040052 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.602107048 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.602303982 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.604041100 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.606201887 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.606301069 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.607187033 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.628098965 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.628514051 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.630073071 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.632071972 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.632138014 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.641055107 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.641108990 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.641196012 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.645097017 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.645136118 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.645288944 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.651032925 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.651072979 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.651103973 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.651133060 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.651206970 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.652671099 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.668092012 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.670110941 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.670177937 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.680114031 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.680155039 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.680207968 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.680211067 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.681042910 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.683936119 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.690094948 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.691098928 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.691148996 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.691193104 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.691200972 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.691258907 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.691293001 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.710136890 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.710774899 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.712177038 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.713035107 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.715045929 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.715106964 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.717082024 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.717601061 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.719156981 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.721088886 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.722033024 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.722081900 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.724047899 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.724163055 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.726048946 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.728041887 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.729079008 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.732619047 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.749104023 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.751040936 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.751120090 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.754070044 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.754604101 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.755237103 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.757023096 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.758723021 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.758977890 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.761020899 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.761096001 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.762069941 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.764007092 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.764400959 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.765027046 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.766989946 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.768018007 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.768048048 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.788111925 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.790040970 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.792123079 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.792253971 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.793010950 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.794085026 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.796174049 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.796655893 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.797053099 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.799093008 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.799170971 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.800087929 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.801054955 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.801114082 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:25.803057909 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:25.851042986 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:26.860927105 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:27.154771090 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:27.563905954 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:27.600199938 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:27.847914934 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:27.881409883 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:28.129985094 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:28.130112886 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:28.696695089 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:28.715828896 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:28.715965986 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:28.947942972 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:28.993587971 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:29.226605892 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:29.475765944 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:29.475914955 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:29.772223949 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:29.772290945 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:30.259751081 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:30.791851997 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:31.743752003 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:32.035710096 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:32.588196039 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:32.707973003 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:32.759474993 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:32.877912998 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:36.175870895 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:36.228513956 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:37.721136093 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:37.736629009 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:38.089247942 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:42.922646999 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:42.963550091 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:42.966700077 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:43.270188093 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:44.247268915 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:44.291768074 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:47.722273111 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:47.776333094 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:47.918312073 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:48.229109049 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:52.590935946 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:52.636099100 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:52.889394999 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:52.890019894 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:52.911185980 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:52.911462069 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:53.172229052 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:53.471452951 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:57.754240036 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:57.808490038 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:58.351063967 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:58.644531012 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:00.522243023 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:00.574359894 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:02.757158041 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:02.808842897 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:03.387403965 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:03.685174942 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:07.760243893 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:07.809355974 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:08.400816917 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:08.598581076 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:08.653153896 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:08.683362007 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:12.764184952 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:12.840935946 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:14.185975075 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:14.475218058 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:16.709269047 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:16.840640068 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:17.760442019 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:17.843529940 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:19.758938074 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:20.079349041 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:22.794219017 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:22.838048935 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:24.685623884 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:24.829294920 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:24.869431019 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:25.006216049 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:27.799333096 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:27.854016066 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:30.215204000 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:30.524636984 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:32.797641993 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:32.839135885 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:33.084255934 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:33.133167982 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:35.214775085 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:35.510276079 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:37.805248022 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:37.855839968 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:40.215373039 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:40.510224104 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:40.967266083 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:41.011898041 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:42.840383053 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:42.888045073 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:45.639200926 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:45.953289986 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:47.829252958 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:47.871345043 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:49.063656092 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:49.105878115 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:50.669234037 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:19:51.010291100 CET4070049747185.157.161.86192.168.2.3

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Jan 13, 2021 10:16:25.588076115 CET5836153192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:25.636162996 CET53583618.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:26.546324968 CET6349253192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:26.597145081 CET53634928.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:27.383486986 CET6083153192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:27.447304964 CET53608318.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:28.179534912 CET6010053192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:28.230333090 CET53601008.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:29.101223946 CET5319553192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:29.149468899 CET53531958.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:30.176811934 CET5014153192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:30.227729082 CET53501418.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:31.113049030 CET5302353192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:31.160996914 CET53530238.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:32.278944016 CET4956353192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:32.326936960 CET53495638.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:33.979722977 CET5135253192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:34.027630091 CET53513528.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:34.787209034 CET5934953192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:34.835278988 CET53593498.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:35.579917908 CET5708453192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:35.628056049 CET53570848.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:36.404805899 CET5882353192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:36.452902079 CET53588238.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:37.318686962 CET5756853192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:37.366640091 CET53575688.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:38.166954041 CET5054053192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:38.218033075 CET53505408.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:00.392678022 CET5436653192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:00.451812983 CET53543668.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:07.054548979 CET5303453192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:07.102667093 CET53530348.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:10.299029112 CET5776253192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:10.356970072 CET53577628.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:14.910196066 CET5543553192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:14.968230963 CET53554358.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:16.544255972 CET5071353192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:16.603800058 CET53507138.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:19.857759953 CET5613253192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:19.918687105 CET53561328.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:28.169715881 CET5898753192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:28.234174013 CET53589878.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:04.993757010 CET5657953192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:18:05.041783094 CET53565798.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:05.433362007 CET6063353192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:18:05.497874022 CET53606338.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:21.244446993 CET6129253192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:18:21.308711052 CET53612928.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:21.970290899 CET6361953192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:18:22.055340052 CET6493853192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:18:22.103426933 CET53649388.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:22.143655062 CET53636198.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:14.275618076 CET6194653192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:14.360590935 CET53619468.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:14.806078911 CET6491053192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:14.862519026 CET53649108.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:15.392956018 CET5212353192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:15.462754965 CET53521238.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:15.920629025 CET5613053192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:15.980170965 CET53561308.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:16.363198042 CET5633853192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:16.419696093 CET53563388.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:16.858954906 CET5942053192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:16.915719986 CET53594208.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:17.363606930 CET5878453192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:17.411675930 CET53587848.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:17.964610100 CET6397853192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:18.020894051 CET53639788.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:18.641583920 CET6293853192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:18.700896978 CET53629388.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:19.112045050 CET5570853192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:19.168608904 CET53557088.8.8.8192.168.2.3

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                            Jan 13, 2021 10:18:21.970290899 CET192.168.2.38.8.8.80x3f77Standard query (0)nanopc.linkpc.netA (IP address)IN (0x0001)

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                            Jan 13, 2021 10:18:21.308711052 CET8.8.8.8192.168.2.30xddbcNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                                            Jan 13, 2021 10:18:22.143655062 CET8.8.8.8192.168.2.30x3f77No error (0)nanopc.linkpc.net185.157.161.86A (IP address)IN (0x0001)

                                                                                                                            Code Manipulations

                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            Analysis Process: order-181289654312464648.exe PID: 5964 Parent PID: 5652

                                                                                                                            General

                                                                                                                            Start time:10:16:32
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\Desktop\order-181289654312464648.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\Desktop\order-181289654312464648.exe'
                                                                                                                            Imagebase:0x50000
                                                                                                                            File size:5815808 bytes
                                                                                                                            MD5 hash:28DA42C2CD57E51CB8EA7DF263802924
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Yara matches:
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            Reputation:low

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdcgjhjyuyihdastagghejh.exe PID: 6692 Parent PID: 5964

                                                                                                                            General

                                                                                                                            Start time:10:17:19
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe'
                                                                                                                            Imagebase:0x8c0000
                                                                                                                            File size:5815808 bytes
                                                                                                                            MD5 hash:28DA42C2CD57E51CB8EA7DF263802924
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Yara matches:
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                            Reputation:low

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: AddInProcess32.exe PID: 4316 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:17:59
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            Imagebase:0x6a0000
                                                                                                                            File size:42080 bytes
                                                                                                                            MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Yara matches:
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.620423784.0000000003E84000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.619550033.0000000003C3E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 0%, Virustotal, Browse
                                                                                                                            • Detection: 0%, Metadefender, Browse
                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 5168 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:09
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x860000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 7%, Virustotal, Browse
                                                                                                                            • Detection: 3%, Metadefender, Browse
                                                                                                                            • Detection: 7%, ReversingLabs
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 5188 Parent PID: 5168

                                                                                                                            General

                                                                                                                            Start time:10:18:12
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xda0000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 5688 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:15
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x510000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 3564 Parent PID: 5688

                                                                                                                            General

                                                                                                                            Start time:10:18:18
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x740000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 1048 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:21
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x220000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 5044 Parent PID: 1048

                                                                                                                            General

                                                                                                                            Start time:10:18:23
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xd80000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6328 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:27
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xff0000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6816 Parent PID: 6328

                                                                                                                            General

                                                                                                                            Start time:10:18:29
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x170000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6880 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:32
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x650000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6708 Parent PID: 6880

                                                                                                                            General

                                                                                                                            Start time:10:18:36
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xf70000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6800 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:40
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xd60000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 5504 Parent PID: 6800

                                                                                                                            General

                                                                                                                            Start time:10:18:42
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x10000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6124 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:46
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xe20000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6892 Parent PID: 6124

                                                                                                                            General

                                                                                                                            Start time:10:18:48
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xe70000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 2792 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:54
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xcf0000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6936 Parent PID: 2792

                                                                                                                            General

                                                                                                                            Start time:10:18:57
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x830000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                            Chronological Activities

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 7120 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:19:01
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x5c0000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                            Chronological Activities

                                                                                                                            Disassembly

                                                                                                                            Code Analysis

                                                                                                                            Reset < >

                                                                                                                              Analysis Process: order-181289654312464648.exe PID: 5964 Parent PID: 5652 order-181289654312464648.exeCOMMON

                                                                                                                              Executed Functions

                                                                                                                              Function 027ED628, Relevance: 4.7, Strings: 3, Instructions: 981COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: ($<$ntin
                                                                                                                              • API String ID: 0-2777557274
                                                                                                                              • Opcode ID: cb3e9827f823d26258aa8fc5758c682fd472935ad4549b9494c70e7848f0b301
                                                                                                                              • Instruction ID: fb65d035693717e9debcd12822fb48f3e0023952a96440749f27833f965ac11b
                                                                                                                              • Opcode Fuzzy Hash: cb3e9827f823d26258aa8fc5758c682fd472935ad4549b9494c70e7848f0b301
                                                                                                                              • Instruction Fuzzy Hash: FEA2E274E00219CFDB24CFA9C985BDDBBF6BF89314F2481A9D509AB255D730A981CF60
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027E04E8, Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: kxM$oxM${xM
                                                                                                                              • API String ID: 0-2655875330
                                                                                                                              • Opcode ID: 91d8735b6c53f2301d702e17650499c015f0ab5392a070ddbc5c7a3b907d1aa7
                                                                                                                              • Instruction ID: 902436dafe9d932f62e726b002dad74fdd7427e04549ae15e9cf704f6a17d66a
                                                                                                                              • Opcode Fuzzy Hash: 91d8735b6c53f2301d702e17650499c015f0ab5392a070ddbc5c7a3b907d1aa7
                                                                                                                              • Instruction Fuzzy Hash: 3C61D431B081058BDB149B7988127BFB2A3ABC9204F25843AD507AF785EFB5DC41C7A2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027E9941, Relevance: 3.2, Strings: 2, Instructions: 651COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: <$@
                                                                                                                              • API String ID: 0-1426351568
                                                                                                                              • Opcode ID: eb552b213856bc521d90343f1ff37efb694b3ace3f5a5422eaeb9a50df2918ef
                                                                                                                              • Instruction ID: c706f33bbb6109e0020dd97707588bfe8a5a7a5e838ba94125df892b77ba5014
                                                                                                                              • Opcode Fuzzy Hash: eb552b213856bc521d90343f1ff37efb694b3ace3f5a5422eaeb9a50df2918ef
                                                                                                                              • Instruction Fuzzy Hash: AD62BFB4E00219CFDB64CFA9C984A9DFBF6BF48354F19C1A9D509AB211D770A981CF60
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027E3EF8, Relevance: .9, Instructions: 913COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 92ffeb8844529bd1f019cfca30144992b1adb1a3005e0943594bba3067a3c204
                                                                                                                              • Instruction ID: abe40695149934d2478b00f1a98ce55798965c31643c9138ea08eb15dda6ca4d
                                                                                                                              • Opcode Fuzzy Hash: 92ffeb8844529bd1f019cfca30144992b1adb1a3005e0943594bba3067a3c204
                                                                                                                              • Instruction Fuzzy Hash: AB725A71A001198FCF14DFA9C8A4AAEBBF6BF8D304F158469E406EB265DB30DD41CB61
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027E7610, Relevance: .9, Instructions: 898COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ce6454e572092d2f0cd755132a77d4a4aa4d0b16ffbfbfe6f4b345ecebbf1bd9
                                                                                                                              • Instruction ID: f50fdeb89a29a568e329c332f45968faa1efac491a623a4727b03fbaefaf6874
                                                                                                                              • Opcode Fuzzy Hash: ce6454e572092d2f0cd755132a77d4a4aa4d0b16ffbfbfe6f4b345ecebbf1bd9
                                                                                                                              • Instruction Fuzzy Hash: 30826D31A04209DFCF19CF68C884AAEBBF2FF4D318F158959E416AB261D731E951CB61
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027EBB69, Relevance: .5, Instructions: 513COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 0a08f4043639b8e9b558fe1745bc2d449b045c98ccaad53c79f534335bcfb787
                                                                                                                              • Instruction ID: a27846adf435539233bb0a3ba21c85aa8b3c90b42d9c3e890c0a89f8107bb225
                                                                                                                              • Opcode Fuzzy Hash: 0a08f4043639b8e9b558fe1745bc2d449b045c98ccaad53c79f534335bcfb787
                                                                                                                              • Instruction Fuzzy Hash: A5429178E01219CFDB14CFA9C984BADBBF6BF48310F1585A9D809AB355D730AA85CF50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027EA438, Relevance: .5, Instructions: 508COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 94a443c9af516bb805a102e77a7145a1bc64f8faa82b7355ab480584d56c51f8
                                                                                                                              • Instruction ID: 541d5fbf0d410a80c1ce7b10a1bf27ce0207a9eab319cd0b684687504712819d
                                                                                                                              • Opcode Fuzzy Hash: 94a443c9af516bb805a102e77a7145a1bc64f8faa82b7355ab480584d56c51f8
                                                                                                                              • Instruction Fuzzy Hash: 3A32E2B4900219CFDB50DFA9C984A8DFBFABF48359F59C595D409AB212CB30D985CFA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027EED98, Relevance: .5, Instructions: 456COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 772154e666249e30e948f42ce774eff57c75b0797f172e46ed5f573e1ef1525f
                                                                                                                              • Instruction ID: 7397ea9d9157e273db24e2f068d02e4ac2925a539eee8077d826fa7adf54ae6b
                                                                                                                              • Opcode Fuzzy Hash: 772154e666249e30e948f42ce774eff57c75b0797f172e46ed5f573e1ef1525f
                                                                                                                              • Instruction Fuzzy Hash: 2122E274D05228CFDB68DF65D9487ECBBB2BF49305F1494AAD40AA7350EB349A81CF10
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027EF598, Relevance: .3, Instructions: 294COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4deba3a3f557c163051034a1bada2650e7a6d7ad80a3b8c3fd5a90c7a85f29c0
                                                                                                                              • Instruction ID: ab0488a4123a45b552a0266e67cd9f169517a376eef9707d494c7cd60e23f125
                                                                                                                              • Opcode Fuzzy Hash: 4deba3a3f557c163051034a1bada2650e7a6d7ad80a3b8c3fd5a90c7a85f29c0
                                                                                                                              • Instruction Fuzzy Hash: 56D1D074E00218CFDB54DFA9D944BADBBB2BF88304F1085AAD449AB754EB305E85CF61
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027EF588, Relevance: .2, Instructions: 212COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2408eb7a91a854b4056f5f6d307c3b69682633345781066875b671cd08bd550c
                                                                                                                              • Instruction ID: 9962883e696196eedd226ad378410a19a08ee1fe8beda31c3f6d96b2f1022707
                                                                                                                              • Opcode Fuzzy Hash: 2408eb7a91a854b4056f5f6d307c3b69682633345781066875b671cd08bd550c
                                                                                                                              • Instruction Fuzzy Hash: 84A1F274E00618CFDB54DFA9D984B9DBBF2FF88304F1084AAD449AB265EB305A95CF11
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027EE53A, Relevance: 1.7, APIs: 1, Instructions: 162memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 027EE4DF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: ProtectVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 544645111-0
                                                                                                                              • Opcode ID: 1e619adc75d4be2a00db08af4987469354ba1456d55a5e8bf19471bea9208eec
                                                                                                                              • Instruction ID: 3d1813ad8cb2b0796ff83f75827e1d49ce552f65bc09dddd4fa84d477f5089ea
                                                                                                                              • Opcode Fuzzy Hash: 1e619adc75d4be2a00db08af4987469354ba1456d55a5e8bf19471bea9208eec
                                                                                                                              • Instruction Fuzzy Hash: 0051F574E002189FDF14DFA9D490AEDBBF2EF89304F20846AD815AB364DB359946CF50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027EA330, Relevance: 1.6, APIs: 1, Instructions: 98memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 027EA3DF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: ProtectVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 544645111-0
                                                                                                                              • Opcode ID: 7641d345a6aaa9a5fc1957ea85fcf82fec271a28e134e1d864f4e62241d012c9
                                                                                                                              • Instruction ID: 6a4a6d2b4d15e5fcea68b87ab37c2fcb821c2a322267d7441f015bb6c7470245
                                                                                                                              • Opcode Fuzzy Hash: 7641d345a6aaa9a5fc1957ea85fcf82fec271a28e134e1d864f4e62241d012c9
                                                                                                                              • Instruction Fuzzy Hash: 2031A8B9D042589FCF10CFA9E584AEEFBF1AF59310F14902AE815B7210D735A946CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027EA338, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 027EA3DF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: ProtectVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 544645111-0
                                                                                                                              • Opcode ID: 5f4dfed975ac412c99602ddfd8de562e4b4d986f5afe761a91a87fdb7a2f0d84
                                                                                                                              • Instruction ID: a8668b683406ac989b5787114ce32a99702d6b8038dd0809f5deb9fd27eae778
                                                                                                                              • Opcode Fuzzy Hash: 5f4dfed975ac412c99602ddfd8de562e4b4d986f5afe761a91a87fdb7a2f0d84
                                                                                                                              • Instruction Fuzzy Hash: D63197B9D042589FCF10CFA9D984AEEFBF0BB19310F14902AE815B7210D775A945CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027EE438, Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 027EE4DF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: ProtectVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 544645111-0
                                                                                                                              • Opcode ID: 1b9e80d9ab624e2fcae1bfec63b68007a994b12ed0337a78c7aeed9d22aa4c4e
                                                                                                                              • Instruction ID: 969deb898561368efb75fa7790641479630047a39e7b2e7202efc2a6e5992585
                                                                                                                              • Opcode Fuzzy Hash: 1b9e80d9ab624e2fcae1bfec63b68007a994b12ed0337a78c7aeed9d22aa4c4e
                                                                                                                              • Instruction Fuzzy Hash: 743197B9D042589FCF10CFA9D984AEEFBB0BB19320F14A42AE815B7210D775A945CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027EE432, Relevance: 1.6, APIs: 1, Instructions: 93memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 027EE4DF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: ProtectVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 544645111-0
                                                                                                                              • Opcode ID: 7f8e9c44cfe02c9b559bfdeeaf93e1787feff81a8b1f0aac9cf5d926cc732d10
                                                                                                                              • Instruction ID: a55a91f4cfd46bf1ef46dd3ff70d64b2c3f49dda08028a80bb76e62c9d00d560
                                                                                                                              • Opcode Fuzzy Hash: 7f8e9c44cfe02c9b559bfdeeaf93e1787feff81a8b1f0aac9cf5d926cc732d10
                                                                                                                              • Instruction Fuzzy Hash: 0531A8B5D002589FCB10CFA9E580AEEFBF0BB09310F14A42AE815B7210D735AA45CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027EADA4, Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteFile
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4033686569-0
                                                                                                                              • Opcode ID: 06e7ab20009fc5cb50cdea446506c91346eadf014a4b43bc72d983725f7dbbbb
                                                                                                                              • Instruction ID: 0daebd9a0b6258d5fec3e998b4e6d166b4ce867680d94b854acdb55cd2eca845
                                                                                                                              • Opcode Fuzzy Hash: 06e7ab20009fc5cb50cdea446506c91346eadf014a4b43bc72d983725f7dbbbb
                                                                                                                              • Instruction Fuzzy Hash: 9831B9B4D052189FCF10CFA9D984AEEFBF5BB49324F14846AE409B7210D774AA45CBA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 027EEAF0, Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311904635.00000000027E0000.00000040.00000001.sdmp, Offset: 027E0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteFile
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4033686569-0
                                                                                                                              • Opcode ID: 6666939e4e4315fb7291c39ebd80aabc4021c0e62d830b6b6160b9750c2e33f0
                                                                                                                              • Instruction ID: 19b1fc2ae34518ff08f5b53ffb27ed9e5d15e641a3ed5d534b6a291ed64766e0
                                                                                                                              • Opcode Fuzzy Hash: 6666939e4e4315fb7291c39ebd80aabc4021c0e62d830b6b6160b9750c2e33f0
                                                                                                                              • Instruction Fuzzy Hash: 7D31E8B4D052189FCF10CFA9D884AEEFBF1BB49324F14842AE409B7250D334AA46CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00E9D21D, Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311659713.0000000000E9D000.00000040.00000001.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4a8636bb4a1f221f4b15df76967f464e81aef68328076139c82f4032893189d4
                                                                                                                              • Instruction ID: b209fa8fc2a6d173ce0487a4c22ca0a38e41bda02f45bf538480f768a3817f43
                                                                                                                              • Opcode Fuzzy Hash: 4a8636bb4a1f221f4b15df76967f464e81aef68328076139c82f4032893189d4
                                                                                                                              • Instruction Fuzzy Hash: 9D01F27140C394AAEB204B55DC84BE7BB98EF41328F18C41AED046B296C378DC44C6B1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00E9D21C, Relevance: .0, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000002.311659713.0000000000E9D000.00000040.00000001.sdmp, Offset: 00E9D000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1eff6e7ef49b44dac1cb7d1aec85514444f9d57e8f02d88183f5e55564cfb024
                                                                                                                              • Instruction ID: 294cc7115d0e1656ae79cd0f3d22426ccab2a4482943a8b90caf09dd87c51269
                                                                                                                              • Opcode Fuzzy Hash: 1eff6e7ef49b44dac1cb7d1aec85514444f9d57e8f02d88183f5e55564cfb024
                                                                                                                              • Instruction Fuzzy Hash: A8F06271408354AEEB208B55DD84BA6FF98EB41738F18C45AED085B296C3799C44CAB1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Non-executed Functions

                                                                                                                              Analysis Process: fdcgjhjyuyihdastagghejh.exe PID: 6692 Parent PID: 5964 fdcgjhjyuyihdastagghejh.exeCOMMON

                                                                                                                              Executed Functions

                                                                                                                              Function 05AE3D68, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 250processCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateProcessAsUserW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 05AE3F54
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000D.00000002.625554479.0000000005AE0000.00000040.00000001.sdmp, Offset: 05AD0000, based on PE: true
                                                                                                                              • Associated: 0000000D.00000002.625529025.0000000005AD0000.00000004.00000001.sdmp Download File
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateProcessUser
                                                                                                                              • String ID: F
                                                                                                                              • API String ID: 2217836671-1304234792
                                                                                                                              • Opcode ID: 5763d746fe0d25dd57c975dcbe89eb81ceb11a70b8a79c6eb0f277aae2a8ef3a
                                                                                                                              • Instruction ID: 0e3c9114278460c582a7d4a1f636a466ee3b0b61a354d1c48440a560b927b7e6
                                                                                                                              • Opcode Fuzzy Hash: 5763d746fe0d25dd57c975dcbe89eb81ceb11a70b8a79c6eb0f277aae2a8ef3a
                                                                                                                              • Instruction Fuzzy Hash: 3091B075D0426D9FCF21CFA8C880BDDBBB5BB1A304F0494AAE549B7210DB74AA85CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 031DA330, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 031DA3DF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000D.00000002.616877956.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: ProtectVirtual
                                                                                                                              • String ID: F
                                                                                                                              • API String ID: 544645111-1304234792
                                                                                                                              • Opcode ID: 24ae44e29c92f73ef2027a75eab3b3ae27f88e3d7ee658486eea7e68f148e063
                                                                                                                              • Instruction ID: 386f3cc4dcb1151489c01d3cac9752a121651b24e8125034a2df3a4d5d916cc2
                                                                                                                              • Opcode Fuzzy Hash: 24ae44e29c92f73ef2027a75eab3b3ae27f88e3d7ee658486eea7e68f148e063
                                                                                                                              • Instruction Fuzzy Hash: C23188B5D04258AFCB10CFA9E584ADEFBF5AF59310F14902AE814B7210D735AA45CFA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 031DE433, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 031DE4DF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000D.00000002.616877956.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: ProtectVirtual
                                                                                                                              • String ID: F
                                                                                                                              • API String ID: 544645111-1304234792
                                                                                                                              • Opcode ID: acaaad87aa85d35dbbe162e0fee37daa9c60ce4f8e61faecc5009dd09d1ea9d0
                                                                                                                              • Instruction ID: 8f6039abad6d848a9ce542de7511049f095faa8fa1b0fba74f039d25088b326e
                                                                                                                              • Opcode Fuzzy Hash: acaaad87aa85d35dbbe162e0fee37daa9c60ce4f8e61faecc5009dd09d1ea9d0
                                                                                                                              • Instruction Fuzzy Hash: C53197B9D042589FCB10CFA9D984ADEFBB0BB19310F14902AE814BB210D735A945CFA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 031DA338, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 031DA3DF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000D.00000002.616877956.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: ProtectVirtual
                                                                                                                              • String ID: F
                                                                                                                              • API String ID: 544645111-1304234792
                                                                                                                              • Opcode ID: a81850f488690cf3483eba68c73b563239f9cc4a6a8753ddf4b0079a4fb46168
                                                                                                                              • Instruction ID: f82560c49d27d4079099594acb120ff9939983fd482b426cf9dcc7cac41f627b
                                                                                                                              • Opcode Fuzzy Hash: a81850f488690cf3483eba68c73b563239f9cc4a6a8753ddf4b0079a4fb46168
                                                                                                                              • Instruction Fuzzy Hash: 4C3197B9D04258AFCB10CFA9D984ADEFBF5BF19310F14902AE814B7210D735AA45CFA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 031DE438, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 031DE4DF
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000D.00000002.616877956.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: ProtectVirtual
                                                                                                                              • String ID: F
                                                                                                                              • API String ID: 544645111-1304234792
                                                                                                                              • Opcode ID: 22d426e4d1cb02dfd3e6d65130c987b5c94c5ae1ac9fde377ee2b8f87cc4a0ba
                                                                                                                              • Instruction ID: bd2798c71f78d046ce3ff7b7479fb1bc21d96ddfae4b0be6cb5121c88d3bd8b9
                                                                                                                              • Opcode Fuzzy Hash: 22d426e4d1cb02dfd3e6d65130c987b5c94c5ae1ac9fde377ee2b8f87cc4a0ba
                                                                                                                              • Instruction Fuzzy Hash: 3A3197B9D042589FCF10CFA9D984ADEFBF0BB19310F14902AE814BB210D735A945CFA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 031DADA4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DeleteFileW.KERNELBASE(?), ref: 031DEB91
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000D.00000002.616877956.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteFile
                                                                                                                              • String ID: F
                                                                                                                              • API String ID: 4033686569-1304234792
                                                                                                                              • Opcode ID: 9ea3ecf9cde6b24b0d980c4f3c1bd9e423c01faf15a0fdae0947903cc0619093
                                                                                                                              • Instruction ID: 631d3fe3bca48d52cf99e5b7da7193cd83c2c644bb8750bc40dee0dfc41ad784
                                                                                                                              • Opcode Fuzzy Hash: 9ea3ecf9cde6b24b0d980c4f3c1bd9e423c01faf15a0fdae0947903cc0619093
                                                                                                                              • Instruction Fuzzy Hash: 2331BCB4D05218DFCB10CFA9D984AEEFBF5BB49314F14806AE805BB250D774A945CFA4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 031DEAF0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83fileCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DeleteFileW.KERNELBASE(?), ref: 031DEB91
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000D.00000002.616877956.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: DeleteFile
                                                                                                                              • String ID: F
                                                                                                                              • API String ID: 4033686569-1304234792
                                                                                                                              • Opcode ID: ca181b499be8cd4bd12c8381289eec27a3586e4a9f1dc448d012abd06b0d70dd
                                                                                                                              • Instruction ID: 311973b21173132782747fcc9e9312636c1c121640782aa47c1b2f2a4b0834f3
                                                                                                                              • Opcode Fuzzy Hash: ca181b499be8cd4bd12c8381289eec27a3586e4a9f1dc448d012abd06b0d70dd
                                                                                                                              • Instruction Fuzzy Hash: 4231A9B4D052189FCB00CFA9D984AEEFBF1BB49314F18842AE419BB250D734AA45CF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 031DE538, Relevance: 1.7, APIs: 1, Instructions: 170memoryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 031DE4DF
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000D.00000002.616877956.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: ProtectVirtual
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 544645111-0
                                                                                                                              • Opcode ID: 4d4befedd9b0e8384f8f85fe9213bd25ef7db983b36ced13e9b32b429a975392
                                                                                                                              • Instruction ID: 13381c3b53ce3d6e0016bf445b31364b9f426d467540318ed97c720e905cc320
                                                                                                                              • Opcode Fuzzy Hash: 4d4befedd9b0e8384f8f85fe9213bd25ef7db983b36ced13e9b32b429a975392
                                                                                                                              • Instruction Fuzzy Hash: 1961F574E002089FDB14DFA9D4806EDBBB2BF89304F24846AD815AB364DB359D46CF51
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0313D21D, Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000D.00000002.616720174.000000000313D000.00000040.00000001.sdmp, Offset: 0313D000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9d36f8d1bd94b9903cc3dda67336f774df4d81a3600630ecf3a44033ca1a9f4f
                                                                                                                              • Instruction ID: 558863a335d6e7fc5ac441bcb10bcae54442603b40f5b33df439e9b1829572cd
                                                                                                                              • Opcode Fuzzy Hash: 9d36f8d1bd94b9903cc3dda67336f774df4d81a3600630ecf3a44033ca1a9f4f
                                                                                                                              • Instruction Fuzzy Hash: 2001D47140C384ABE7108A15EC84BA7BB9CEF4E224F08C45AFD045B242C778D844C6B1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0313D21C, Relevance: .0, Instructions: 36COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000D.00000002.616720174.000000000313D000.00000040.00000001.sdmp, Offset: 0313D000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 38287e6fce5a70343b6e613047e29dbb75d0d67cebb6f4e4db7ad7548fae7108
                                                                                                                              • Instruction ID: 482c852abd1130ea9efaf0303fab9fc51ce5c41ee35981412ee26608119d06e1
                                                                                                                              • Opcode Fuzzy Hash: 38287e6fce5a70343b6e613047e29dbb75d0d67cebb6f4e4db7ad7548fae7108
                                                                                                                              • Instruction Fuzzy Hash: 04F06271408384AFEB208A15DDC4BA2FF9CEB46674F18C55AED085B286C3799844CAB1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Non-executed Functions

                                                                                                                              Analysis Process: AddInProcess32.exe PID: 4316 Parent PID: 6692 AddInProcess32.exeCOMMON

                                                                                                                              Executed Functions

                                                                                                                              Function 0506F5F8, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 01cc05b057eaebe1a298815a64acb58552251c2279523b418df171e49113ca26
                                                                                                                              • Instruction ID: bf16c3fa792fc2aba7e36bb662f54b21e98600a60938440a995bc44dfaf02f09
                                                                                                                              • Opcode Fuzzy Hash: 01cc05b057eaebe1a298815a64acb58552251c2279523b418df171e49113ca26
                                                                                                                              • Instruction Fuzzy Hash: DCF17F35A0020ACFDB14DFA9E958BADBBF2FF88314F158169D405AF2A5DB70E945CB40
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06D011A0, Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625351174.0000000006D00000.00000040.00000001.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: aae1582087f509c1369203d020f285349b64f3886bc1e7c822a4f9b4c5fc8301
                                                                                                                              • Instruction ID: 4e0559beaab045ffda86409f73af52b17accfceeddce11d6f013a09dd35d3f7b
                                                                                                                              • Opcode Fuzzy Hash: aae1582087f509c1369203d020f285349b64f3886bc1e7c822a4f9b4c5fc8301
                                                                                                                              • Instruction Fuzzy Hash: C8415671D052099FDB40CFA9D980BEEBBF9FF49310F10816AE918E7241D7749A04CBA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029FB6C0, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 029FB730
                                                                                                                              • GetCurrentThread.KERNEL32 ref: 029FB76D
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 029FB7AA
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 029FB803
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2063062207-0
                                                                                                                              • Opcode ID: 9e6ce4a3c3a5f90ad618a640b9b4738973cd4a8e9ae87328a4fcf0fd04520e92
                                                                                                                              • Instruction ID: 2527a76b705737ea06f83940387a82f9a3977f692cfda499c8c7d6d95c9db909
                                                                                                                              • Opcode Fuzzy Hash: 9e6ce4a3c3a5f90ad618a640b9b4738973cd4a8e9ae87328a4fcf0fd04520e92
                                                                                                                              • Instruction Fuzzy Hash: 125155B4E007448FDB50CFA9D6887EEBBF1EF48308F24845AE019A7651DB74994ACF61
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029FB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 029FB730
                                                                                                                              • GetCurrentThread.KERNEL32 ref: 029FB76D
                                                                                                                              • GetCurrentProcess.KERNEL32 ref: 029FB7AA
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 029FB803
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: Current$ProcessThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2063062207-0
                                                                                                                              • Opcode ID: 4a68cfbef48ba90d73381adbc6d4e4e3cf853953112c7361a98448c3b6412512
                                                                                                                              • Instruction ID: fd4e0fc0876c94062184a4972450a2b6c679d0c7e3081ed907f7cf23b3ed960e
                                                                                                                              • Opcode Fuzzy Hash: 4a68cfbef48ba90d73381adbc6d4e4e3cf853953112c7361a98448c3b6412512
                                                                                                                              • Instruction Fuzzy Hash: 2D5156B0E006488FDB50CFA9D648BEEBBF1BF48308F208459E019A7350DB749949CF61
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 050617E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7eb4958c3be4b4567533f3fb583cdf9dee76610eae29d699b95610078ced5656
                                                                                                                              • Instruction ID: 999d434b4afb85fc5a4387cc3b7fed9f5536c5228e0bbb70746e9f1e59d77122
                                                                                                                              • Opcode Fuzzy Hash: 7eb4958c3be4b4567533f3fb583cdf9dee76610eae29d699b95610078ced5656
                                                                                                                              • Instruction Fuzzy Hash: B0227E78F04207CFDB54CB98E588ABEBBB2FF89310F148556D412AB365C734A885CB61
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06D01235, Relevance: 1.7, APIs: 1, Instructions: 225timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSystemTimes.KERNEL32(?,?,?), ref: 06D01574
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625351174.0000000006D00000.00000040.00000001.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: SystemTimes
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 375623090-0
                                                                                                                              • Opcode ID: fdf7858c1fe7c5701e64eb406908fa5fd57f3115d8b6334890b406bbf8a44e7e
                                                                                                                              • Instruction ID: 4ad2a8c2309469253c8cce635cf1aa7ed6c72d9f16233c05667728b1d8c2c28e
                                                                                                                              • Opcode Fuzzy Hash: fdf7858c1fe7c5701e64eb406908fa5fd57f3115d8b6334890b406bbf8a44e7e
                                                                                                                              • Instruction Fuzzy Hash: 25B1A075D0061ACFDB50CFA9C880AD9FBB5FF49310F15C69AD958AB201E770AA85CF90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0506E190, Relevance: 1.7, APIs: 1, Instructions: 215threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0506E289
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2882836952-0
                                                                                                                              • Opcode ID: efa9eead79b811a14b35afceda43be318eac034dd17d7d096a8f911f23a3a6c3
                                                                                                                              • Instruction ID: a8ed1c03e22c7529f466c6ab6ed69503e687f38d53b978d9ed4bc9941d3e0b57
                                                                                                                              • Opcode Fuzzy Hash: efa9eead79b811a14b35afceda43be318eac034dd17d7d096a8f911f23a3a6c3
                                                                                                                              • Instruction Fuzzy Hash: A1818974E043588FCB54DFA8D854BEEBBFABF88304F24842AD415AB350DB749945CBA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 060F3888, Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.624556711.00000000060F0000.00000040.00000001.sdmp, Offset: 060F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 293f1589ef341aeb50ba3c876d8c5099359dc390432cd085855f6658f2163ee9
                                                                                                                              • Instruction ID: 3cc5bde5d51da3e7e42ebd0326d68317913a912c5aa8cf04b1239f22e1e86ca6
                                                                                                                              • Opcode Fuzzy Hash: 293f1589ef341aeb50ba3c876d8c5099359dc390432cd085855f6658f2163ee9
                                                                                                                              • Instruction Fuzzy Hash: 61818771D142098FDB54CFA9C8806EEBBF1FF48324F24842AD905AB640DB74998ACF91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029F93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 029F962E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 3facd9bbc500f457ec3ee501503758c537a950856363f35b6dede9fd13121b4b
                                                                                                                              • Instruction ID: 4be10a6651603102bb0934f2a3194d9fa12d16d4c10cdb8c9614ee0bdb087129
                                                                                                                              • Opcode Fuzzy Hash: 3facd9bbc500f457ec3ee501503758c537a950856363f35b6dede9fd13121b4b
                                                                                                                              • Instruction Fuzzy Hash: 2D713770A00B058FEBA4DF29C44175AB7F5BF88318F108A2DD58ADBA50D775E846CF91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029FFBEC, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 029FFD0A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 716092398-0
                                                                                                                              • Opcode ID: 44956d482d12ab2fdb2e7030d8cf2a774f69cb26f5680cee65106a8a2eddaf0c
                                                                                                                              • Instruction ID: 7728ad68396162766046f2aee07a6fdb8fc692f18bcf9e012b6aa3ca9a24b096
                                                                                                                              • Opcode Fuzzy Hash: 44956d482d12ab2fdb2e7030d8cf2a774f69cb26f5680cee65106a8a2eddaf0c
                                                                                                                              • Instruction Fuzzy Hash: EB51DFB1D00348DFDF14CFA9C980ADEBBB5BF48314F24812AE919AB250D7749985CF90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029FFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 029FFD0A
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 716092398-0
                                                                                                                              • Opcode ID: 06eac5cf63e0524e2758e39621a40cda5834d7417c06483475471a4d59e87790
                                                                                                                              • Instruction ID: 3960c1f99c7130c9629b0e2681089fc16836f33f775949c88b7a770b8b6acb0d
                                                                                                                              • Opcode Fuzzy Hash: 06eac5cf63e0524e2758e39621a40cda5834d7417c06483475471a4d59e87790
                                                                                                                              • Instruction Fuzzy Hash: 7B41CFB1D00308DFDF54CFA9C984ADEBBB5BF88314F24812AE919AB250D7749985CF90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 050645F4, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 050646B1
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: 1d207385e37e6e78eddd11e441ed06e537928dfe31ad4b3e43943b4094320cbf
                                                                                                                              • Instruction ID: b3a2f15476feac9701302c5c87bd76e5a0d43d757b1e7068b216a83ad95a104b
                                                                                                                              • Opcode Fuzzy Hash: 1d207385e37e6e78eddd11e441ed06e537928dfe31ad4b3e43943b4094320cbf
                                                                                                                              • Instruction Fuzzy Hash: 5E4104B1C04618CBDF24CFA9D988BDEBBF5BF49304F248469D408AB251DB74694ACF91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 05063474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 050646B1
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: Create
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2289755597-0
                                                                                                                              • Opcode ID: 18351b988df80d8d11e86139a7bef2dac5821f7274c101cbf970632a7f401c9e
                                                                                                                              • Instruction ID: 97e290e8e28034541ae70628cd779e846f5182e3949190b091b984131c689b1a
                                                                                                                              • Opcode Fuzzy Hash: 18351b988df80d8d11e86139a7bef2dac5821f7274c101cbf970632a7f401c9e
                                                                                                                              • Instruction Fuzzy Hash: F541FE70C04618CBDF24CFA9D984BDEBBF5BF89304F248469D408AB250DBB5694ACF91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 05062470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05062531
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: CallProcWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2714655100-0
                                                                                                                              • Opcode ID: c093e95a5bd8f44bd64faed39d61925749532c3b19e8d06299de9cdf7c0091cd
                                                                                                                              • Instruction ID: 92534a8b4c9292bbb8e7deae14040cd34b6dc2ecafeeccc2a70014130290e0f6
                                                                                                                              • Opcode Fuzzy Hash: c093e95a5bd8f44bd64faed39d61925749532c3b19e8d06299de9cdf7c0091cd
                                                                                                                              • Instruction Fuzzy Hash: D94116B8A002058FDB14CF99D488AAEBBF6FB88314F158499D519AB321D774A845CFA0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 060F0D10, Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 060F0DE9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.624556711.00000000060F0000.00000040.00000001.sdmp, Offset: 060F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2882836952-0
                                                                                                                              • Opcode ID: da84ede1202068e38cb0ef423f11292fe3356da35099504ec867b0b7f9b34535
                                                                                                                              • Instruction ID: cd2a3a784a4691c8a908b51303cd3522caa9dcda10ea53aeb9a2197fa754b9bc
                                                                                                                              • Opcode Fuzzy Hash: da84ede1202068e38cb0ef423f11292fe3356da35099504ec867b0b7f9b34535
                                                                                                                              • Instruction Fuzzy Hash: 4D31DA74E10218CFDBA4DF68C498BAEBFF5AF48710F148029E906AB751DB709885CF90
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06D056AC, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625351174.0000000006D00000.00000040.00000001.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: LibraryLoad
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1029625771-0
                                                                                                                              • Opcode ID: 6a3132cd8b0939e4c75b14b932a5f2d1969f51f51166606b10b66d445ca4200a
                                                                                                                              • Instruction ID: 5336128baba98caeb11d4a4c66573e3ed6596724d13c8080a8b64d9097fed0a5
                                                                                                                              • Opcode Fuzzy Hash: 6a3132cd8b0939e4c75b14b932a5f2d1969f51f51166606b10b66d445ca4200a
                                                                                                                              • Instruction Fuzzy Hash: 2E3125B0D042499FEB94CFA9C88579EBBF1FB09314F548529E816AB380D774A885CF91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06D075E7, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625351174.0000000006D00000.00000040.00000001.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: LibraryLoad
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1029625771-0
                                                                                                                              • Opcode ID: 6ce12bba7fd4d0ca22ee1184538f1f69a758026dd7b09312a22716c25e1df033
                                                                                                                              • Instruction ID: 61f6724e5cf35b9aff7109f8e1611dacc144ff6d7f7570a38b93433e2cbc1958
                                                                                                                              • Opcode Fuzzy Hash: 6ce12bba7fd4d0ca22ee1184538f1f69a758026dd7b09312a22716c25e1df033
                                                                                                                              • Instruction Fuzzy Hash: B03132B0D042499FEB94CFA8C885B9EBBF1FB09314F148529E816AB380D774A485CB91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029FBDC1, Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029FBD87
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: 77999dbaf091c6c4ea2fe66f419ed5e7263f83ad17977d695691648bc3c4ae3f
                                                                                                                              • Instruction ID: e8fa67762fa3a873147a349dcfc404dc3415405adf03490f1badeb59647e78a7
                                                                                                                              • Opcode Fuzzy Hash: 77999dbaf091c6c4ea2fe66f419ed5e7263f83ad17977d695691648bc3c4ae3f
                                                                                                                              • Instruction Fuzzy Hash: 4D319F74A40B40CFEB059F70E6457AD3BB1F799309F14462AEA818B7CACB7A0901CF11
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0506B898, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFromIconResource
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3668623891-0
                                                                                                                              • Opcode ID: 3659852e9abd14445c3ddcb05d27bb3333e1588b19aef15cec2f9a3a90ae1ab4
                                                                                                                              • Instruction ID: d4771377ea990c67780c765b6cb4c9c13d94a9aa65e97a14ac3d5026ec47b57e
                                                                                                                              • Opcode Fuzzy Hash: 3659852e9abd14445c3ddcb05d27bb3333e1588b19aef15cec2f9a3a90ae1ab4
                                                                                                                              • Instruction Fuzzy Hash: 6D317AB29043899FCB11DFA9D844AEEBFF9EF09310F08805AE954A7211C3359954DFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06D01218, Relevance: 1.6, APIs: 1, Instructions: 80timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSystemTimes.KERNEL32(?,?,?), ref: 06D01574
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625351174.0000000006D00000.00000040.00000001.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: SystemTimes
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 375623090-0
                                                                                                                              • Opcode ID: 4c4b4f8c9d1be5a4d37303baaf2c05199d7ba16dcff1c1e935e4c13e27dcb44c
                                                                                                                              • Instruction ID: 18b9523593338fc6070b040b2ea446d5d93a658c5d9be9f7d7417a8f35f40648
                                                                                                                              • Opcode Fuzzy Hash: 4c4b4f8c9d1be5a4d37303baaf2c05199d7ba16dcff1c1e935e4c13e27dcb44c
                                                                                                                              • Instruction Fuzzy Hash: CB3110B4D052489FDB50CFA9C984BDEBBF4BF49310F24816AE808EB251D3749945CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06D011FB, Relevance: 1.6, APIs: 1, Instructions: 80timeCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetSystemTimes.KERNEL32(?,?,?), ref: 06D01574
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625351174.0000000006D00000.00000040.00000001.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: SystemTimes
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 375623090-0
                                                                                                                              • Opcode ID: cf5eed71afe6dfee7d12c4d4e07751413ca6f892841f5716339897005908242e
                                                                                                                              • Instruction ID: d8cbf2a9dc9b139623cd09e4fa0f5f795754f45666cf174502f6c6bf97960e8e
                                                                                                                              • Opcode Fuzzy Hash: cf5eed71afe6dfee7d12c4d4e07751413ca6f892841f5716339897005908242e
                                                                                                                              • Instruction Fuzzy Hash: DE312FB4D052499FDB40CFA9D884BAEBBF4BF49310F24816AE818EB251D3349945CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 060F0D00, Relevance: 1.6, APIs: 1, Instructions: 78threadCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 060F0DE9
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.624556711.00000000060F0000.00000040.00000001.sdmp, Offset: 060F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: CurrentThread
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2882836952-0
                                                                                                                              • Opcode ID: 86606ea4aa66b6bad8fb0e9593af7b1d60e4578e4ff576881990c0b9ffd1eb68
                                                                                                                              • Instruction ID: 1383c1027a7b7bf7c978c534bc02cdcd6490061109b6bd7d51a3f8c29a7c0fd1
                                                                                                                              • Opcode Fuzzy Hash: 86606ea4aa66b6bad8fb0e9593af7b1d60e4578e4ff576881990c0b9ffd1eb68
                                                                                                                              • Instruction Fuzzy Hash: 72319A75E10218DFDB54DF68D498BDDBBF5EB48310F14841AE406AB741CB749846CF91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029FBCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029FBD87
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: 4b2fe1c051d7ba76bd9a2b1fb87ac0ac3a20f7175992e52ac2b087061104651a
                                                                                                                              • Instruction ID: 7ca5f10c671b8e4cf05efaf4667b3e709ffb2e1dc3f89ed3b101f4c5287d19de
                                                                                                                              • Opcode Fuzzy Hash: 4b2fe1c051d7ba76bd9a2b1fb87ac0ac3a20f7175992e52ac2b087061104651a
                                                                                                                              • Instruction Fuzzy Hash: 9B21B3B6D00248DFDB50CFA9D584AEEBBF5FB48324F14841AE918A7210D378A955CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0506E6B0, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostMessageW.USER32(?,010853E8,00000000,?), ref: 0506E73D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 410705778-0
                                                                                                                              • Opcode ID: 31769fd6960c4424fcc68bba526bd3265795eab85cf24c0cb462e74a053189db
                                                                                                                              • Instruction ID: 3ed064cca5b5fb00389d57ff8f8c0c7b4fd9860070370ee6f829f7cc39d37112
                                                                                                                              • Opcode Fuzzy Hash: 31769fd6960c4424fcc68bba526bd3265795eab85cf24c0cb462e74a053189db
                                                                                                                              • Instruction Fuzzy Hash: 58216AB6904348CFDB10CF99C945BDEBBF4EF09320F14845AD854A7241D378A949CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029FBD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029FBD87
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: DuplicateHandle
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3793708945-0
                                                                                                                              • Opcode ID: 53ccbcb4777cdb5dd18b9c72f5be61cffb7c1450af058bd88fd79ad84b711f21
                                                                                                                              • Instruction ID: d3c0dd8c0b0c8c1529f17083cbbde031a43e043d875896d1cbb76a120b3807ba
                                                                                                                              • Opcode Fuzzy Hash: 53ccbcb4777cdb5dd18b9c72f5be61cffb7c1450af058bd88fd79ad84b711f21
                                                                                                                              • Instruction Fuzzy Hash: 3921C4B5D002489FDB50CF99D984ADEBBF9FF48324F14841AE918A7310D374A954CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0506A504, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0506B8B2,?,?,?,?,?), ref: 0506B957
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: CreateFromIconResource
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3668623891-0
                                                                                                                              • Opcode ID: 2450b8324adbcca1357203763c7e42517f2043438861e25ff30ea00520934880
                                                                                                                              • Instruction ID: 4d3d545337d923ebadd81050f29bed70374d60a5e1125c5c372fda6c30543d9b
                                                                                                                              • Opcode Fuzzy Hash: 2450b8324adbcca1357203763c7e42517f2043438861e25ff30ea00520934880
                                                                                                                              • Instruction Fuzzy Hash: 1C1123B29042499FDB10CFAAD844BEEBBF8EB49324F14841AE915A7210C374A954DFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029F8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,029F96A9,00000800,00000000,00000000), ref: 029F98BA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: LibraryLoad
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1029625771-0
                                                                                                                              • Opcode ID: b632fd9ac6330fdc1264bce8403a304c42aa14087eb59dd6843c03e6c78ad690
                                                                                                                              • Instruction ID: 09bfd3f2959caa4cba06a5489679ffd9c74f26b0712fcfe940e29749b959f373
                                                                                                                              • Opcode Fuzzy Hash: b632fd9ac6330fdc1264bce8403a304c42aa14087eb59dd6843c03e6c78ad690
                                                                                                                              • Instruction Fuzzy Hash: 691114B6D042498FDB50CF9AC444BDEFBF4EB48324F04842EE519A7600C774A945CFA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029F9849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,029F96A9,00000800,00000000,00000000), ref: 029F98BA
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: LibraryLoad
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1029625771-0
                                                                                                                              • Opcode ID: efa93120ae034a685e9563be47335282773625e06f8a7473824163c47d980861
                                                                                                                              • Instruction ID: 7766fcfc635567272ccf5bcd71545ff19ea63b7924271de3b29e37aebfa9101d
                                                                                                                              • Opcode Fuzzy Hash: efa93120ae034a685e9563be47335282773625e06f8a7473824163c47d980861
                                                                                                                              • Instruction Fuzzy Hash: 5E11E2B6D002498FEB50CFA9D544BDEBBF4EB48324F14842AD529A7600C778A945CFA5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 050632D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • PostMessageW.USER32(?,010853E8,00000000,?), ref: 0506E73D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: MessagePost
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 410705778-0
                                                                                                                              • Opcode ID: 4a6b08258ca4dfbcd07403fbb4b9a4adb0ed1756f948e21191a447adf4cfac18
                                                                                                                              • Instruction ID: d3eb2ca5ebab2b991f724732c588f852621c79b3dddd26ced91de5ca2d000bd7
                                                                                                                              • Opcode Fuzzy Hash: 4a6b08258ca4dfbcd07403fbb4b9a4adb0ed1756f948e21191a447adf4cfac18
                                                                                                                              • Instruction Fuzzy Hash: 6B1125B59043499FDB10CF99D985BEFBBF8FB48320F14841AE554A7240D778A984CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 05061540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0506226A,?,00000000,?), ref: 0506C435
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3850602802-0
                                                                                                                              • Opcode ID: b6a9b325d45b385c1d15a8d8394b39d0ca368d554ba42f2a06c814a2d8907b2d
                                                                                                                              • Instruction ID: a398e5257c17cbb50dbd47c7ee67401508e39b869a0ad192f60c20f20d1f04bf
                                                                                                                              • Opcode Fuzzy Hash: b6a9b325d45b385c1d15a8d8394b39d0ca368d554ba42f2a06c814a2d8907b2d
                                                                                                                              • Instruction Fuzzy Hash: A71115B5804748DFDB10CF99D985BEEBBF8FB49324F10841AE959A7600C3B4A944CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0506A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0506BCBD
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3850602802-0
                                                                                                                              • Opcode ID: 5684c0bf356ae4d65597607219edec5e96bf2a0376ec72c0119575a9efae6032
                                                                                                                              • Instruction ID: 946799014e1838dfced024f6fb3b98a13d335f78faec6a00488a82259efa74cd
                                                                                                                              • Opcode Fuzzy Hash: 5684c0bf356ae4d65597607219edec5e96bf2a0376ec72c0119575a9efae6032
                                                                                                                              • Instruction Fuzzy Hash: BF11F2B5904748DFDB10CF99D585BDEBBF8FB48320F108419E515A7600C774AA84CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 050650D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(?,00000018,00000001,?), ref: 0506D29D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3850602802-0
                                                                                                                              • Opcode ID: 6c03b4705ba990609253b4aa0cf2bb236353e017f9933349acb5c13df3c9d145
                                                                                                                              • Instruction ID: c9251c8fe494b60a2de6b6671d190a6c780bcbd2023ae047b765e40fdf85979d
                                                                                                                              • Opcode Fuzzy Hash: 6c03b4705ba990609253b4aa0cf2bb236353e017f9933349acb5c13df3c9d145
                                                                                                                              • Instruction Fuzzy Hash: 281103B69043499FDB10CF9AD584BDEBBF8FB58324F10841AE915A7200C3B4A984CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029F95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 029F962E
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: HandleModule
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 4139908857-0
                                                                                                                              • Opcode ID: 780934661b98214e8e714d9d6e7499285e7dccd0563284f2bf092f7e244f3b9c
                                                                                                                              • Instruction ID: 443be3c3d56130573e11264704cd695dd5046c0b16b21057684496d9dcf6fe73
                                                                                                                              • Opcode Fuzzy Hash: 780934661b98214e8e714d9d6e7499285e7dccd0563284f2bf092f7e244f3b9c
                                                                                                                              • Instruction Fuzzy Hash: DE11E0B6D006498FDB50CF9AC544BDEFBF8AF89224F14845AD529A7600C374A546CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0506DC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OleInitialize.OLE32(00000000), ref: 0506F435
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: Initialize
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2538663250-0
                                                                                                                              • Opcode ID: 6707f5bce77faf25196bec22934d19c72424ad2a74fd784885cb7c69bfe0510c
                                                                                                                              • Instruction ID: 0e83f2e293844bc30da0555be7a399c9027ae637a556ac9e0d4f91663510814b
                                                                                                                              • Opcode Fuzzy Hash: 6707f5bce77faf25196bec22934d19c72424ad2a74fd784885cb7c69bfe0510c
                                                                                                                              • Instruction Fuzzy Hash: EF1112B1904649CFCB20DF9AE488BDEBBF4EB48324F14845AE919B7600C774A945CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029FFE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetWindowLongW.USER32(?,?,?), ref: 029FFE9D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: LongWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1378638983-0
                                                                                                                              • Opcode ID: 0fd4355442d5c7f08d41deedb7ae9d24d7d589e64c4456e91b3338a3e440e52d
                                                                                                                              • Instruction ID: b66430f8b266841ba1834d52edd6a03c40719e5a36fc1b8ee128b43e046c6ce7
                                                                                                                              • Opcode Fuzzy Hash: 0fd4355442d5c7f08d41deedb7ae9d24d7d589e64c4456e91b3338a3e440e52d
                                                                                                                              • Instruction Fuzzy Hash: F61133B5800209CFDB10CF99C585BDEBBF8EB48324F10845AD918B7741C374A945CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0506D238, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(?,00000018,00000001,?), ref: 0506D29D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3850602802-0
                                                                                                                              • Opcode ID: 7888192333a947592cf6f1e69c424003937f5b1d2154b4fde2ce4039693ec6d9
                                                                                                                              • Instruction ID: 875577dcd3d09ce6497a40c60776f76b68f832b4a4a45ea351abf3f2c79c579f
                                                                                                                              • Opcode Fuzzy Hash: 7888192333a947592cf6f1e69c424003937f5b1d2154b4fde2ce4039693ec6d9
                                                                                                                              • Instruction Fuzzy Hash: 7511F2B69002499FDB10CF99D985BDEBBF4FB58324F14840AE514A7600C378AA44CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0506C3D0, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0506226A,?,00000000,?), ref: 0506C435
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3850602802-0
                                                                                                                              • Opcode ID: 8004300e4349e3ff3da910dfcd0839e7ab1f3f3900fb8f3452b4cf665c86f0fb
                                                                                                                              • Instruction ID: 2ed7c0b3ba2055e43b5d9d85e687e0e417b4f31ac807c3cab708f2f75e395b7b
                                                                                                                              • Opcode Fuzzy Hash: 8004300e4349e3ff3da910dfcd0839e7ab1f3f3900fb8f3452b4cf665c86f0fb
                                                                                                                              • Instruction Fuzzy Hash: F61103B6C00248CFDB10CF99D985BEEBBF4FB48324F14840AD559A7600D374A945CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 029FFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SetWindowLongW.USER32(?,?,?), ref: 029FFE9D
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.611925457.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: LongWindow
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 1378638983-0
                                                                                                                              • Opcode ID: 90ed859b507ece3d3fec408eb57cd470913ca14f898ec6588ca1482ad8aa6876
                                                                                                                              • Instruction ID: e2fbe73fb6a958489a4e27a14e4f1e6f4d7b50ff50de68b18dd246b132a710a7
                                                                                                                              • Opcode Fuzzy Hash: 90ed859b507ece3d3fec408eb57cd470913ca14f898ec6588ca1482ad8aa6876
                                                                                                                              • Instruction Fuzzy Hash: 581112B59002488FDB50CF99D585BDFBBF8EB48324F10845AE918A7740C374A944CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0506F3D8, Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • OleInitialize.OLE32(00000000), ref: 0506F435
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: Initialize
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 2538663250-0
                                                                                                                              • Opcode ID: 76d09a5f338f21a5e4c2bf78a6ed777268f6a2ebc86a1e2d410e54ad395f1d7c
                                                                                                                              • Instruction ID: ad08924cbe621bf027e7742b41a3b06b905e244425bb1bf82104496f1d0a53d8
                                                                                                                              • Opcode Fuzzy Hash: 76d09a5f338f21a5e4c2bf78a6ed777268f6a2ebc86a1e2d410e54ad395f1d7c
                                                                                                                              • Instruction Fuzzy Hash: 6F1100B5904649CFCB10CFA9E589BDEBBF4AB48224F14851AD519A7600C374A945CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 0506BC59, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                                                                              Download Yara Rule
                                                                                                                              APIs
                                                                                                                              • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0506BCBD
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.623704882.0000000005060000.00000040.00000001.sdmp, Offset: 05060000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID: MessageSend
                                                                                                                              • String ID:
                                                                                                                              • API String ID: 3850602802-0
                                                                                                                              • Opcode ID: 151de0c32f4e028f3ee7a1ed4bcf0aa571584d8968bfc5b7a0b3b720d42c786b
                                                                                                                              • Instruction ID: cda230ccf3a6bddf617f49e44f5c7019cc80eb42d8a628d990b970e51549a0f4
                                                                                                                              • Opcode Fuzzy Hash: 151de0c32f4e028f3ee7a1ed4bcf0aa571584d8968bfc5b7a0b3b720d42c786b
                                                                                                                              • Instruction Fuzzy Hash: 4B11BDB9800649CFDB50CF99D585BEEBBF4EB48324F14841AE819A7600C374AA84CFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F11130, Relevance: .1, Instructions: 125COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8dd0a547888c43ac6bd86ac48aa2b6188b7aa00d22033533fe119f032e4fd736
                                                                                                                              • Instruction ID: 3ccbd319dc901b3fe4f55a4c1e8c0112cc2472a0ff8c8f51d46ff140df480445
                                                                                                                              • Opcode Fuzzy Hash: 8dd0a547888c43ac6bd86ac48aa2b6188b7aa00d22033533fe119f032e4fd736
                                                                                                                              • Instruction Fuzzy Hash: 1E41BF31B102048F8F88EBB9C8546AEB6F7AF99644B14842DD50AEB781EF309C01C7E5
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F11123, Relevance: .1, Instructions: 103COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 40cb41bded120622fb1969edbd5446f6a8f8668096325d127929d1d1e84b260e
                                                                                                                              • Instruction ID: 640d2de03b690631a284e3b758c5b052db4e9ddaf25c3f1a1de74154073df085
                                                                                                                              • Opcode Fuzzy Hash: 40cb41bded120622fb1969edbd5446f6a8f8668096325d127929d1d1e84b260e
                                                                                                                              • Instruction Fuzzy Hash: 6C314632B052448F8B99E7B999202BEB7F79FD9184714442EC60AEF741EF208D0583E6
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F10DC0, Relevance: .1, Instructions: 80COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5e89becc2ed36e50926f42489d5063ad541370a35c879467430cd0f1f5297cf5
                                                                                                                              • Instruction ID: f5e6200efa7d5ccd0295e52a66647016e86e36ad96ee7c2a6bebb2d044bafe7c
                                                                                                                              • Opcode Fuzzy Hash: 5e89becc2ed36e50926f42489d5063ad541370a35c879467430cd0f1f5297cf5
                                                                                                                              • Instruction Fuzzy Hash: D1319A36D10308DFDB14CF55D480ADEBBB1FB89358F20856AD405AB641DB72AA86CF80
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00C3D4A0, Relevance: .1, Instructions: 75COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.607721119.0000000000C3D000.00000040.00000001.sdmp, Offset: 00C3D000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7f208f0ed14de5a9460a205ece0b769dfd37ce6864abbb669826a0e1f676fae6
                                                                                                                              • Instruction ID: fc1fba6020616647eb29864afba5a2b0ef2cf5486f534489d83404ae1a0731ee
                                                                                                                              • Opcode Fuzzy Hash: 7f208f0ed14de5a9460a205ece0b769dfd37ce6864abbb669826a0e1f676fae6
                                                                                                                              • Instruction Fuzzy Hash: D62125B2514240DFDB01DF54E9C0B27BF66FB98328F24C569E90B0B246C336D955DBA2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00C4D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.607885323.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3c25f6e486f261ab8a46afa1b32377515aa9ff44a29a79e36be9104f8c2f49ec
                                                                                                                              • Instruction ID: a1f63863ea8f69d57dfd75b4c640c5bfc5799f405fef4b2fe36415ac171a7a3f
                                                                                                                              • Opcode Fuzzy Hash: 3c25f6e486f261ab8a46afa1b32377515aa9ff44a29a79e36be9104f8c2f49ec
                                                                                                                              • Instruction Fuzzy Hash: 4D210475504340DFCB14EF14D9C4B26BB65FB88314F24C9A9E80A4B346C73AD847DB61
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00C4D005, Relevance: .1, Instructions: 62COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.607885323.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d449910a026fb3f19f28e4ae4bea81dda63afebd21e7eb8d8ec89d6abf32a5c5
                                                                                                                              • Instruction ID: cd935450976bfec39be5d54dc72cfa777c681997ef976fce0381f849c399c2e4
                                                                                                                              • Opcode Fuzzy Hash: d449910a026fb3f19f28e4ae4bea81dda63afebd21e7eb8d8ec89d6abf32a5c5
                                                                                                                              • Instruction Fuzzy Hash: AB218E755093C08FCB02CF20D994B15BF71FB46314F28C5EAD8498B6A7C33A994ACB62
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00C3D49B, Relevance: .1, Instructions: 56COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.607721119.0000000000C3D000.00000040.00000001.sdmp, Offset: 00C3D000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                                                                                                                              • Instruction ID: e9790a89c144fdbba9dfad5e78a45d1a1749d94c31a10deb2a420963bf239fa4
                                                                                                                              • Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
                                                                                                                              • Instruction Fuzzy Hash: F511E6B6804280CFCF12CF14D5C4B56BF72FB94324F24C6A9D8060B656C336D95ACBA2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F10870, Relevance: .1, Instructions: 53COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e69d4e4b7d0230de28724fb620886252349472a24b39c265612a7fdd3261fc35
                                                                                                                              • Instruction ID: 8549c68fbb8716891df5919b20122292ee004a299474baeb55a357350c2404b5
                                                                                                                              • Opcode Fuzzy Hash: e69d4e4b7d0230de28724fb620886252349472a24b39c265612a7fdd3261fc35
                                                                                                                              • Instruction Fuzzy Hash: 2B01047271C204DFB7A86B20987443A7B23EBC03A1384C869E0478F245DF758CC08BD0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F107D8, Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3cf36fff40072385f9649756bc9792cd48481bc8f067e5356c6bab26f753c112
                                                                                                                              • Instruction ID: 9ad30f61211d746174146c03e6e2a8b2cc800a39a9d383b9ece97ef7a46933a4
                                                                                                                              • Opcode Fuzzy Hash: 3cf36fff40072385f9649756bc9792cd48481bc8f067e5356c6bab26f753c112
                                                                                                                              • Instruction Fuzzy Hash: A101D63260D144CFE7662B51945457A7F77EBC12A1728805BE1638E5C2CF359CC2CBD2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F10FB3, Relevance: .0, Instructions: 45COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 218da10807618facb51ad6f12514be92b04476543442d7d4605e2f087ef76bcf
                                                                                                                              • Instruction ID: 8fcb6e5a9a0c0d1fa3446bf5ccd6925b4716b497cfdbb6c89ddb83c55cb8d87f
                                                                                                                              • Opcode Fuzzy Hash: 218da10807618facb51ad6f12514be92b04476543442d7d4605e2f087ef76bcf
                                                                                                                              • Instruction Fuzzy Hash: 16F0A4627180955BF368B26C68103AFA1CB8BC9654F25C83ED30B9F395DE649D4203EA
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F107D3, Relevance: .0, Instructions: 39COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3e1890dbdcd3ca11e24c5ffd740d31cd866a8542b8801cd3d99829986cbdd845
                                                                                                                              • Instruction ID: dbc8c8855b1ce8d496959be984b4def94aa1259f561a0ba48d16aa6e407ab9be
                                                                                                                              • Opcode Fuzzy Hash: 3e1890dbdcd3ca11e24c5ffd740d31cd866a8542b8801cd3d99829986cbdd845
                                                                                                                              • Instruction Fuzzy Hash: 56F0C836A1D000CFE7A91A50A05463D7B73EBC02B2718801BE1635E5C2CF35D8C1CBC1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F10F50, Relevance: .0, Instructions: 30COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9be60fbadaeac9c09f0e4b2038c07909e34733e1323ef14ea3a50d871ea878c4
                                                                                                                              • Instruction ID: 3a61463bba4a3043a71dfaf956cd247a4d802d33bb94d8c0567c38e963d6bf7a
                                                                                                                              • Opcode Fuzzy Hash: 9be60fbadaeac9c09f0e4b2038c07909e34733e1323ef14ea3a50d871ea878c4
                                                                                                                              • Instruction Fuzzy Hash: 4EE0BF19B5C2155ABFD832A56C2677E128DCBC19D4F100166E9369E2C5EE958C8102FF
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F11E5B, Relevance: .0, Instructions: 30COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: bf3ec6ebe0237c7e1486daebc5433b2d84e7e75b5d6f9326ed5399ea7c18b486
                                                                                                                              • Instruction ID: c95751743e017d03f985866a6b71c32d6e7d34a32c02d541870eed30cf82cf4a
                                                                                                                              • Opcode Fuzzy Hash: bf3ec6ebe0237c7e1486daebc5433b2d84e7e75b5d6f9326ed5399ea7c18b486
                                                                                                                              • Instruction Fuzzy Hash: 21F0A071D0420EAFD780DBA888116AEBFF0AB04250F2089AAC055EB542D37456028F91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F110D0, Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 9e25fd6e073d09e69aeeb5269c5333ea396285d00477f315cab2aba5f874848b
                                                                                                                              • Instruction ID: 871cc20427cfd090c5f144ff7b1f1f4a8ec57c9f20fce4851ce1477d3a974668
                                                                                                                              • Opcode Fuzzy Hash: 9e25fd6e073d09e69aeeb5269c5333ea396285d00477f315cab2aba5f874848b
                                                                                                                              • Instruction Fuzzy Hash: 6BE0D8367492015B835462AEBC5566AFAEDAFD9662314417AE50EDB352CD608C4083E1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F110CB, Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8d141daab95bf6baa673cc237e37d90df5da859b2e04b509c5b9745280d64ada
                                                                                                                              • Instruction ID: dafcdf086fdb6ae9d56518886d25adfb4173e70c22b2e9cbad8ad952e450c031
                                                                                                                              • Opcode Fuzzy Hash: 8d141daab95bf6baa673cc237e37d90df5da859b2e04b509c5b9745280d64ada
                                                                                                                              • Instruction Fuzzy Hash: E7E02B367091014BC30496BDBD56266AAE96FD8212318407AD40FDB353DD208C4083E1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F10D13, Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6d0ba9dad0be2b8b86b5f9da6eeba9db0e482fd47df0554e928ddb556582ecc5
                                                                                                                              • Instruction ID: 1d1a3455b0d15284a6087d8e22b471f126b49fed583a6ce845bcda4429898e91
                                                                                                                              • Opcode Fuzzy Hash: 6d0ba9dad0be2b8b86b5f9da6eeba9db0e482fd47df0554e928ddb556582ecc5
                                                                                                                              • Instruction Fuzzy Hash: 09E02B367042004BC344576CBD5536676CA5BC8116318417AE40EDB317CD248C4083E1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F10D18, Relevance: .0, Instructions: 29COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dc6679128c986fd695dfdfa45e8d15d9c289546f233f815f0051d5b9a74ad290
                                                                                                                              • Instruction ID: 2bd40787d41e441127abee7caf07a4924b3bdddbb957f6f1db114651ebf6d271
                                                                                                                              • Opcode Fuzzy Hash: dc6679128c986fd695dfdfa45e8d15d9c289546f233f815f0051d5b9a74ad290
                                                                                                                              • Instruction Fuzzy Hash: 87E0DF367083015B835463AEBC6566ABADA9BC9666714817AE40ECB326CE609C4083E2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F1107B, Relevance: .0, Instructions: 24COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7dde440f2e7ae507b07437970519a34be471a776ace1493e7ded835dbcfcbcfe
                                                                                                                              • Instruction ID: 92333525e4c561dfa413ba4c434410a2dae491252a49721b3e760b9a5e91ee71
                                                                                                                              • Opcode Fuzzy Hash: 7dde440f2e7ae507b07437970519a34be471a776ace1493e7ded835dbcfcbcfe
                                                                                                                              • Instruction Fuzzy Hash: 04E09236F09290CFC7618790EA621A23B759A0214631989CBD0468F561C7329865C7D2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F10F40, Relevance: .0, Instructions: 24COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dadaf436053be694da219ff0d6858e56adadd7ec662dbd8472e13916f336c250
                                                                                                                              • Instruction ID: 03c4f05d0c4985be22b59e5931c4b0b35a56b1d6bd82e6caeb5fe01f8d04dd83
                                                                                                                              • Opcode Fuzzy Hash: dadaf436053be694da219ff0d6858e56adadd7ec662dbd8472e13916f336c250
                                                                                                                              • Instruction Fuzzy Hash: 25E08C57F5C2904EBBC426A06C277762615CF818D0F0001A7D93AAE2D6ED908C8002DB
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F11088, Relevance: .0, Instructions: 22COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7ffc0c40bce41f9a9519ea9132367cdc6a071705f0ae65e8b07093084fd355d7
                                                                                                                              • Instruction ID: 9a2a9a823dbbb442e416ad151596c1f77d7a76b8baaf7f2d9f7a80d8bdefd6c3
                                                                                                                              • Opcode Fuzzy Hash: 7ffc0c40bce41f9a9519ea9132367cdc6a071705f0ae65e8b07093084fd355d7
                                                                                                                              • Instruction Fuzzy Hash: 84E07D36F04250CB873056C190251A7777DAE012CA7188999E5870E400CB32C812C7C2
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F10948, Relevance: .0, Instructions: 18COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7d41b9b3832c84019c49af2bb71700bfeef2f0c5591c35e43b1463670e96476f
                                                                                                                              • Instruction ID: d08f97c723c4001851ed77e103e780f4fc970ed0b5076539c5bca11f31917950
                                                                                                                              • Opcode Fuzzy Hash: 7d41b9b3832c84019c49af2bb71700bfeef2f0c5591c35e43b1463670e96476f
                                                                                                                              • Instruction Fuzzy Hash: 27D02B32B04210D7A6700A41C4360B37B699A023D679484E9E08A0F249CF32D8C2CBC1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F11E60, Relevance: .0, Instructions: 16COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3a1622a4907087500c251de9b62b2eabed2b7b03044f923d3158f8fbe3aa50d4
                                                                                                                              • Instruction ID: a8b2e56337831f1221ef6dbf72d48933a818825c5619f486c705c085566cab72
                                                                                                                              • Opcode Fuzzy Hash: 3a1622a4907087500c251de9b62b2eabed2b7b03044f923d3158f8fbe3aa50d4
                                                                                                                              • Instruction Fuzzy Hash: 7AE0ECB1D0030DDED780EFA8C5117AEBFF4AB04304F208969C015EA641E7B596058F91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F11053, Relevance: .0, Instructions: 13COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 40e7d445563b32024dcb2a7d426101cb26c0cff677d780133c75edc3cc46ced1
                                                                                                                              • Instruction ID: b11f113d898fbdbdf59d040fbabcc61778ecd7fa9a965b5245962f568b9d9cfd
                                                                                                                              • Opcode Fuzzy Hash: 40e7d445563b32024dcb2a7d426101cb26c0cff677d780133c75edc3cc46ced1
                                                                                                                              • Instruction Fuzzy Hash: AFC0803E744140EBD758C7707B44767231757C4316B1DD405F50D9F554C53148124580
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F11058, Relevance: .0, Instructions: 12COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b8eebe67fe3561e05fc5e0f41ff09b5c46b500dc048e1e8726f517118fad2112
                                                                                                                              • Instruction ID: 6367837061be8a200f3696cf02d83a6cfa7b1b42da7642aa1ffac3bb22475051
                                                                                                                              • Opcode Fuzzy Hash: b8eebe67fe3561e05fc5e0f41ff09b5c46b500dc048e1e8726f517118fad2112
                                                                                                                              • Instruction Fuzzy Hash: 06C08C32758344DBEB58D7656880B27335F63C8705F04D010B60E9E1448A61681144C0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F110C3, Relevance: .0, Instructions: 11COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 10be31f6adf28b579e1fdb2277984ef50e324bd50a1d0c5e58b7a75431914459
                                                                                                                              • Instruction ID: fbc52ec8f447d5e8a8f99805f1a8f86792de462b5b42bf156006dce325f5f3ed
                                                                                                                              • Opcode Fuzzy Hash: 10be31f6adf28b579e1fdb2277984ef50e324bd50a1d0c5e58b7a75431914459
                                                                                                                              • Instruction Fuzzy Hash: 57C08C7220D2E00EC31317A07E200E23F75494204A30900C3F0C98A092CA040A10C3A0
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 06F10F2B, Relevance: .0, Instructions: 7COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.625416909.0000000006F10000.00000040.00000001.sdmp, Offset: 06F10000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f51e95c739b045a7d20ca9de8801ae7dc261c19fd12ed44ba225a1278411c2f1
                                                                                                                              • Instruction ID: ca9a5abb2a25468620e13866633b98953511f78b7bc6be9fe9d4cf064a8be83f
                                                                                                                              • Opcode Fuzzy Hash: f51e95c739b045a7d20ca9de8801ae7dc261c19fd12ed44ba225a1278411c2f1
                                                                                                                              • Instruction Fuzzy Hash: 6EB0126562BD40CAFF984E2089EB6772E12CFC4771F1404C4A0270D2C2CD3584C1C6C4
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Non-executed Functions

                                                                                                                              Analysis Process: fdexedxfuuyytwq.exe PID: 5168 Parent PID: 6692 fdexedxfuuyytwq.exeCOMMON

                                                                                                                              Executed Functions

                                                                                                                              Function 02B00551, Relevance: .2, Instructions: 159COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000013.00000002.419542847.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: f7e33ace7b210b19f47b2a15bf3378de8ba572ceb099c9c1ff4cdf217e36ea5b
                                                                                                                              • Instruction ID: 4f0b50f78e8ae79a36d588006f2a71f4996e369f1542e977b5201634a7154c33
                                                                                                                              • Opcode Fuzzy Hash: f7e33ace7b210b19f47b2a15bf3378de8ba572ceb099c9c1ff4cdf217e36ea5b
                                                                                                                              • Instruction Fuzzy Hash: BB61FE74E012188FCB18DFB9D890AEDBBB2BF89304F20846DD419AB754DB34A946CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 02B00560, Relevance: .2, Instructions: 154COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000013.00000002.419542847.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 93b044582b10f55db3e43e6b358ea1d2d1992ef58efa3719c0f23246ab8dee89
                                                                                                                              • Instruction ID: b38491ee40860e10ed1c7a70f7066f1483b53820a3b770344b582f8fc70145d0
                                                                                                                              • Opcode Fuzzy Hash: 93b044582b10f55db3e43e6b358ea1d2d1992ef58efa3719c0f23246ab8dee89
                                                                                                                              • Instruction Fuzzy Hash: 4061DD74E01218CFDB18DFB9D990AEDBBB2BF89304F20846AD409AB754DB34A945CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 02B00468, Relevance: .1, Instructions: 66COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000013.00000002.419542847.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 5d69b74cec97137ef50ad02b8d71fc5dd528e918f110bd585dbe8975fccda064
                                                                                                                              • Instruction ID: a2bf1880b95f4a44f6d01b41c3aafbbddf0471f402eab1f551804fe29eb185aa
                                                                                                                              • Opcode Fuzzy Hash: 5d69b74cec97137ef50ad02b8d71fc5dd528e918f110bd585dbe8975fccda064
                                                                                                                              • Instruction Fuzzy Hash: 98216D74D49208CFDB05EFA8D4947FEBBB5AB4A304F0468A9D016A7291DB38484ACF58
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 02B007B1, Relevance: .0, Instructions: 44COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000013.00000002.419542847.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 72b0c7e57b09dcf0856fb20328dc12c70ba22d2f4fc6c7373f0004f8837a9e74
                                                                                                                              • Instruction ID: c1769e981c8edc3a3717383eeda0264d710ada452fd5020214f43a1b7a5173f0
                                                                                                                              • Opcode Fuzzy Hash: 72b0c7e57b09dcf0856fb20328dc12c70ba22d2f4fc6c7373f0004f8837a9e74
                                                                                                                              • Instruction Fuzzy Hash: C7012970D092499FCB05DFF8D4506EEBBB1EF8A308F1048AAC504A7691DB741A56CF91
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 02B00448, Relevance: .0, Instructions: 11COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000013.00000002.419542847.0000000002B00000.00000040.00000001.sdmp, Offset: 02B00000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3846fcac94175110c980b7eee4a2d25beef23de5001d28109558548d616c1650
                                                                                                                              • Instruction ID: 5d3d22af0980465501550dde38e24d947ea3cea031964da898ce867e77f9fb94
                                                                                                                              • Opcode Fuzzy Hash: 3846fcac94175110c980b7eee4a2d25beef23de5001d28109558548d616c1650
                                                                                                                              • Instruction Fuzzy Hash: 1FC09B308957098FC51526D4784C779B66CF70634EF481D54B50D124915FB0D866C559
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Non-executed Functions

                                                                                                                              Analysis Process: fdexedxfuuyytwq.exe PID: 5188 Parent PID: 5168 fdexedxfuuyytwq.exeCOMMON

                                                                                                                              Executed Functions

                                                                                                                              Function 01890551, Relevance: .2, Instructions: 183COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000016.00000002.608539778.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: afbb318585b4b412a2b8200097bd72b4c1d14dc4876cef17b2cb6587c4db2ad8
                                                                                                                              • Instruction ID: 349f2649c9d9d7051bb07b2a8e8e27f1e7f7d70a9e60096986276f846a25e2fe
                                                                                                                              • Opcode Fuzzy Hash: afbb318585b4b412a2b8200097bd72b4c1d14dc4876cef17b2cb6587c4db2ad8
                                                                                                                              • Instruction Fuzzy Hash: BC71EF74E01208CFCB18DFB9D890AEDBBB6BF89308F20946AD419AB754DB349945CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 01890560, Relevance: .2, Instructions: 154COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000016.00000002.608539778.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dfde8b486539bc12d0068552808eb44699f44d391d57394543f952c7ffdd10f4
                                                                                                                              • Instruction ID: 07e79dff1c7b12e63f1694bfa1b87edb467dc0edeae7b6b0081e61570ccbb1f4
                                                                                                                              • Opcode Fuzzy Hash: dfde8b486539bc12d0068552808eb44699f44d391d57394543f952c7ffdd10f4
                                                                                                                              • Instruction Fuzzy Hash: 3761DD70E01208CFCB18DFB9D990AEDBBB2BF89304F20946AD419AB754DB34A945CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 01890468, Relevance: .1, Instructions: 70COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000016.00000002.608539778.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e20d7ba1181ee85176d082fc8c670b65eeb88cab79f0cde3338bc3386d355a2c
                                                                                                                              • Instruction ID: 99599a3b7a94f6dc188c66ae94a24c07bc1ba941ebc75d3347cf8bb0e8befa11
                                                                                                                              • Opcode Fuzzy Hash: e20d7ba1181ee85176d082fc8c670b65eeb88cab79f0cde3338bc3386d355a2c
                                                                                                                              • Instruction Fuzzy Hash: EC214770D49208CBCB15CFA8E4547FDBBB9AF8A308F046829E519BB251D7794A09CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 01890448, Relevance: .0, Instructions: 11COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000016.00000002.608539778.0000000001890000.00000040.00000001.sdmp, Offset: 01890000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: a351d8c238a1f2028f00a63d6124d28ff9665e42ad0c4adba977480d5d1fe8fe
                                                                                                                              • Instruction ID: 5f1ed5fb5690b13eb5eb028e29627ef83d5f27bf412c251785a8cfc8a34c0c9e
                                                                                                                              • Opcode Fuzzy Hash: a351d8c238a1f2028f00a63d6124d28ff9665e42ad0c4adba977480d5d1fe8fe
                                                                                                                              • Instruction Fuzzy Hash: B7C02B300013098FCA3916D4704C374B79CB30230DF082D00A20C0144847704408D604
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Non-executed Functions

                                                                                                                              Analysis Process: fdexedxfuuyytwq.exe PID: 5688 Parent PID: 6692 fdexedxfuuyytwq.exeCOMMON

                                                                                                                              Executed Functions

                                                                                                                              Function 00DD0551, Relevance: .2, Instructions: 162COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000017.00000002.432888485.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7afca8cd9930e1e2b5ee0ca86561f9a27c595a5c388858120e05220c8aa75c3c
                                                                                                                              • Instruction ID: c9096d6c26bb88568bc716323065430daafdd1dd777de6478358588b563b0164
                                                                                                                              • Opcode Fuzzy Hash: 7afca8cd9930e1e2b5ee0ca86561f9a27c595a5c388858120e05220c8aa75c3c
                                                                                                                              • Instruction Fuzzy Hash: E361D274E012088FCB58DFB9D990ADDBBB2EF89304F20816AD409AB754DB34994ACF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00DD0560, Relevance: .2, Instructions: 154COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000017.00000002.432888485.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b5c9f22084c71ad8e94dbba24329d07f79f534c8d8658b53c96cc8aa0abb2d7f
                                                                                                                              • Instruction ID: 36cd1f5e0f0fd3127ddeb4b63bafde3cbcca28d6ab791192b31ae5b59b40ab92
                                                                                                                              • Opcode Fuzzy Hash: b5c9f22084c71ad8e94dbba24329d07f79f534c8d8658b53c96cc8aa0abb2d7f
                                                                                                                              • Instruction Fuzzy Hash: BD61CF74E01208CFCB58DFB9D990ADDBBB2EF89304F20946AD409AB754EB34A945CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00DD00D8, Relevance: .4, Instructions: 446COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000017.00000002.432888485.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: c38ba43d1304bdc89d8ca14258116a23248f3ef14e18fa8850b31750532d010c
                                                                                                                              • Instruction ID: d7a2a7e2247250b6830483924734240ea51abeb6f871f41c3379ecbdc36cb8c2
                                                                                                                              • Opcode Fuzzy Hash: c38ba43d1304bdc89d8ca14258116a23248f3ef14e18fa8850b31750532d010c
                                                                                                                              • Instruction Fuzzy Hash: 57E0ED2105E3C05FC31747746C696957F715F43104B0E49EBD489CB5A3E265485AD736
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00DD0468, Relevance: .1, Instructions: 70COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000017.00000002.432888485.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 52edc2043fd119b2d4f298c222567b977214b6151183db19d1468a7368d63a13
                                                                                                                              • Instruction ID: 2092f879f0612021583020883c6aa8847ff3f9616267794006208259d127e272
                                                                                                                              • Opcode Fuzzy Hash: 52edc2043fd119b2d4f298c222567b977214b6151183db19d1468a7368d63a13
                                                                                                                              • Instruction Fuzzy Hash: 7F113D70D492088FCB04DFA8E4547FDBBB5AB8A305F00642AD44AB7391E779584ACF64
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00DD07B2, Relevance: .0, Instructions: 47COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000017.00000002.432888485.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d916418983d5f11959d1ef9fcc065873617a1fa6d4c719365efcafd4472a851e
                                                                                                                              • Instruction ID: 60c95d2de16bc356bbbc9f852a7b3c755a5096bebfbd9926008882352ae0b851
                                                                                                                              • Opcode Fuzzy Hash: d916418983d5f11959d1ef9fcc065873617a1fa6d4c719365efcafd4472a851e
                                                                                                                              • Instruction Fuzzy Hash: 76016970D092099FCB05DFB8D8916EEBBB1AF85304F1088AEC004A7391DB341A0ACFA1
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00DD0448, Relevance: .0, Instructions: 11COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000017.00000002.432888485.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ff3073c189102ef89a3769ba170ea8bd7cdc59bcb366527d3b4f6ab3e42ab471
                                                                                                                              • Instruction ID: 0ef7c2d0fc5c1166ee4bd9447baa300c9d1537be7fa93661087f0b7f216e8a58
                                                                                                                              • Opcode Fuzzy Hash: ff3073c189102ef89a3769ba170ea8bd7cdc59bcb366527d3b4f6ab3e42ab471
                                                                                                                              • Instruction Fuzzy Hash: 7DC02B300013088FC20417D07C4C734B67CB30230DF081D01B10C4166067B04890C038
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Non-executed Functions

                                                                                                                              Analysis Process: fdexedxfuuyytwq.exe PID: 3564 Parent PID: 5688 fdexedxfuuyytwq.exeCOMMON

                                                                                                                              Executed Functions

                                                                                                                              Function 00FE0552, Relevance: .2, Instructions: 157COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000018.00000002.608964890.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 32d587e8fcb39d999c1f401db97d92389d7bcdf9794b1923f3b07656baf277e0
                                                                                                                              • Instruction ID: d755058d32816e42afd81817661fc016dda71f1b9e428d0f29e8a2c5c29e7708
                                                                                                                              • Opcode Fuzzy Hash: 32d587e8fcb39d999c1f401db97d92389d7bcdf9794b1923f3b07656baf277e0
                                                                                                                              • Instruction Fuzzy Hash: 8E61C074E012088FDB58DFB9D990ADDBBB2AF89304F20816ED419AB754DB34A945CF50
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00FE0560, Relevance: .2, Instructions: 154COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000018.00000002.608964890.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6bfbb0669547a44423280e403b5ac7670c0efcea997212320237849a990c7e9c
                                                                                                                              • Instruction ID: 6c2edfaa0088f5dbb99605a1f806db3426c1bea27dc18a5be94ca11984234f48
                                                                                                                              • Opcode Fuzzy Hash: 6bfbb0669547a44423280e403b5ac7670c0efcea997212320237849a990c7e9c
                                                                                                                              • Instruction Fuzzy Hash: 7A61D074E01208CFCB58DFB9D990ADDBBB2BF89304F20806AD419AB754DB34A945CF54
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00FE00D8, Relevance: .4, Instructions: 446COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000018.00000002.608964890.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1a936a04a8197cb11f85f47c14432ca52646d99b4b4c6a9df0206f5b2abb4369
                                                                                                                              • Instruction ID: 197287ba1a094f3ea88435aa095f42a8b8a7d5515cfd839293b2057635097a87
                                                                                                                              • Opcode Fuzzy Hash: 1a936a04a8197cb11f85f47c14432ca52646d99b4b4c6a9df0206f5b2abb4369
                                                                                                                              • Instruction Fuzzy Hash: 4DE0121105E3C55FC71787789C79BA57F71AF43108B0E49EBD485CB8A3D254080AD726
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00FE0468, Relevance: .1, Instructions: 65COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000018.00000002.608964890.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 3daa1db2a088f13ef7042e0eda988c4ddaf4c316a7e222947120c05580044f08
                                                                                                                              • Instruction ID: d290b92b6256f1433e1f3a95066ab7360427d217a176b378348a68c8a1e1847b
                                                                                                                              • Opcode Fuzzy Hash: 3daa1db2a088f13ef7042e0eda988c4ddaf4c316a7e222947120c05580044f08
                                                                                                                              • Instruction Fuzzy Hash: 8D117971D09248CFCB14DFB9E554BFDBBB5AB8A308F006869D00AB7290DB794849DF58
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Function 00FE0448, Relevance: .0, Instructions: 11COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000018.00000002.608964890.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 290b7d6e24735b1f88475ef3e9b04bde9fd0f090aa3e1ab19af1dda57f99fa18
                                                                                                                              • Instruction ID: 57c401e5faf9ff55a8528c01eb333ba4272b2e8b2998e4f4669ab176c1586a89
                                                                                                                              • Opcode Fuzzy Hash: 290b7d6e24735b1f88475ef3e9b04bde9fd0f090aa3e1ab19af1dda57f99fa18
                                                                                                                              • Instruction Fuzzy Hash: 86C02B3040530C4FC5045BD4780CB34725CB30230EF041D01A10C014A04BF05841E004
                                                                                                                              Uniqueness

                                                                                                                              Uniqueness Score: -1.00%

                                                                                                                              Non-executed Functions