Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report order-181289654312464648.exe

Overview

General Information

Sample Name:order-181289654312464648.exe
Analysis ID:339042
MD5:28da42c2cd57e51cb8ea7df263802924
SHA1:81c980f2cda9b42b0b8bf50c7128cc88afd942fd
SHA256:2d564ae361eb499ca493273e9fcfb88546105c88293c7633a7e1580a435cee9f
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • order-181289654312464648.exe (PID: 5964 cmdline: 'C:\Users\user\Desktop\order-181289654312464648.exe' MD5: 28DA42C2CD57E51CB8EA7DF263802924)
    • fdcgjhjyuyihdastagghejh.exe (PID: 6692 cmdline: 'C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe' MD5: 28DA42C2CD57E51CB8EA7DF263802924)
      • AddInProcess32.exe (PID: 4316 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • fdexedxfuuyytwq.exe (PID: 5168 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 5188 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 5688 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 3564 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 1048 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 5044 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 6328 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 6816 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 6880 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 6708 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 6800 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 5504 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 6124 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 6892 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 2792 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 6936 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 7120 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.157.162.81"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x8ba5:$x1: NanoCore.ClientPluginHost
    • 0x8bd2:$x2: IClientNetworkHost
    0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x8ba5:$x2: NanoCore.ClientPluginHost
    • 0x9b74:$s2: FileCommand
    • 0xe576:$s4: PipeCreated
    • 0x8bbf:$s5: IClientLoggingHost
    Click to see the 66 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    15.2.AddInProcess32.exe.6bc0000.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    15.2.AddInProcess32.exe.6bc0000.8.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2dbb:$x2: NanoCore.ClientPluginHost
    • 0x4c6b:$s4: PipeCreated
    15.2.AddInProcess32.exe.6ca0000.18.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1d3db:$x1: NanoCore.ClientPluginHost
    • 0x1d3f5:$x2: IClientNetworkHost
    15.2.AddInProcess32.exe.6ca0000.18.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1d3db:$x2: NanoCore.ClientPluginHost
    • 0x20718:$s4: PipeCreated
    • 0x1d3c8:$s5: IClientLoggingHost
    15.2.AddInProcess32.exe.6c60000.15.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x39eb:$x1: NanoCore.ClientPluginHost
    • 0x3a24:$x2: IClientNetworkHost
    Click to see the 51 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 4316, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: AddInProcess32.exe.4316.15.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.157.162.81"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeVirustotal: Detection: 7%Perma Link
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: order-181289654312464648.exeJoe Sandbox ML: detected
    Source: 15.2.AddInProcess32.exe.5c00000.6.unpackAvira: Label: TR/NanoCore.fadte
    Source: 15.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: order-181289654312464648.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: order-181289654312464648.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 0000000F.00000000.391348657.00000000006A2000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 4x nop then jmp 027EF56Eh
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 4x nop then jmp 031DF56Eh
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 02B00799h
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 02B00799h
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 01890799h
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 01890799h
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 00DD0799h
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 00DD0799h
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 00FE0799h
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 00FE0799h

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorIPs: 185.157.162.81
    Source: global trafficTCP traffic: 192.168.2.3:49741 -> 185.157.162.81:40700
    Source: global trafficTCP traffic: 192.168.2.3:49747 -> 185.157.161.86:40700
    Source: Joe Sandbox ViewIP Address: 185.157.162.81 185.157.162.81
    Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownDNS traffic detected: queries for: nanopc.linkpc.net
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616518111.0000000001789000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp3
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616518111.0000000001789000.00000004.00000040.sdmpString found in binary or memory: http://ns.ado/Ident
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.614681646.000000000157B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: AddInProcess32.exe, 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.620423784.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.619550033.0000000003C3E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.AddInProcess32.exe.6bc0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6ca0000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c10000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6ce0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c50000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6ce0000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6bd0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c20000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.51a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c90000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c90000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c20000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6bc0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c30000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.AddInProcess32.exe.6c30000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c40000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6ca0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6bd0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: order-181289654312464648.exe
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE3D68 CreateProcessAsUserW,
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EBB69
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027E9941
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027ED628
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027E7610
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027E3EF8
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EA438
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027E04E8
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EF598
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EED98
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EF588
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE2BC0
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE0570
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE0CA0
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD63AB
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD48A2
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE2280
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE36F0
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE1E08
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DBB69
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031D9943
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031D7610
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DD628
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031D3EF8
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DF598
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DED98
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DA438
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031D04E8
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DF588
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_006A2050
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_029FE480
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_029FE471
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_029FBBD4
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_0506F5F8
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_05069788
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_0506A580
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_060FF4C0
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_060F81C0
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_060F8E96
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_060F8DD8
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D03480
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D02340
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D0A0C8
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D00040
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D0A998
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D00920
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D0359E
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D09D80
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D000FE
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06F10990
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
    Source: order-181289654312464648.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: fdcgjhjyuyihdastagghejh.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: order-181289654312464648.exe, 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs order-181289654312464648.exe
    Source: order-181289654312464648.exe, 00000000.00000002.316232468.00000000051A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs order-181289654312464648.exe
    Source: order-181289654312464648.exe, 00000000.00000002.316201203.0000000005150000.00000002.00000001.sdmpBinary or memory string: originalfilename vs order-181289654312464648.exe
    Source: order-181289654312464648.exe, 00000000.00000002.316201203.0000000005150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs order-181289654312464648.exe
    Source: order-181289654312464648.exe, 00000000.00000002.316495486.0000000005B50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs order-181289654312464648.exe
    Source: order-181289654312464648.exe, 00000000.00000002.314823666.00000000039C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs order-181289654312464648.exe
    Source: order-181289654312464648.exeBinary or memory string: OriginalFilenamehugefrssaw.exeH vs order-181289654312464648.exe
    Source: order-181289654312464648.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.620423784.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.619550033.0000000003C3E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.AddInProcess32.exe.6bc0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6bc0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6ca0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6ca0000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c10000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c10000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6ce0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6ce0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c50000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c50000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6ce0000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6ce0000.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6bd0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6bd0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c20000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c20000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.51a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.51a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c90000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c90000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c90000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c90000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c20000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c20000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6bc0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6bc0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c30000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c30000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.AddInProcess32.exe.6c30000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c30000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c40000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c40000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6ca0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6ca0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.6bd0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.AddInProcess32.exe.6bd0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: classification engineClassification label: mal100.troj.evad.winEXE@41/29@1/3
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdcgjhjyuyihdastagghejh.lnkJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ebbd9300-ed31-4d29-88d8-4f7b7a7f8653}
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
    Source: order-181289654312464648.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\order-181289654312464648.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile read: C:\Users\user\Desktop\order-181289654312464648.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\order-181289654312464648.exe 'C:\Users\user\Desktop\order-181289654312464648.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe 'C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess created: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe 'C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: unknown unknown
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: unknown unknown
    Source: C:\Users\user\Desktop\order-181289654312464648.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: order-181289654312464648.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: order-181289654312464648.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: order-181289654312464648.exeStatic file information: File size 5815808 > 1048576
    Source: order-181289654312464648.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x55fe00
    Source: order-181289654312464648.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 0000000F.00000000.391348657.00000000006A2000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Binary contains a suspicious time stampShow sources
    Source: initial sampleStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD05E6 pushfd ; iretd
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD4B71 push es; iretd
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD4E9A push es; iretd
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD0A2A push ds; ret
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_029F4450 push FFFFFF89h; mov dword ptr [esp], eax
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_050669F8 pushad ; retf
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_060FC12D push es; iretd
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_060FC1FD push es; iretd
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D07E2C pushfd ; iretd
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D0F4F3 push B406CFCBh; retf
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D08479 pushfd ; iretd
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D085DC pushfd ; iretd
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D08538 pushfd ; iretd
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D082B8 pushfd ; iretd
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D083A1 pushfd ; iretd
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D08075 pushfd ; iretd
    Source: fdexedxfuuyytwq.exe.13.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: fdexedxfuuyytwq.exe.13.dr, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: fdexedxfuuyytwq.exe.13.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: fdexedxfuuyytwq.exe.13.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: fdexedxfuuyytwq.exe.13.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 19.0.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 19.0.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 19.0.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 19.0.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 19.0.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 19.2.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 19.2.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 19.2.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 19.2.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 19.2.fdexedxfuuyytwq.exe.860000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 22.2.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 22.2.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 22.2.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 22.2.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 22.2.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 22.0.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 22.0.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 22.0.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 22.0.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 22.0.fdexedxfuuyytwq.exe.da0000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 23.2.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 23.2.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 23.2.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 23.2.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 23.2.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 23.0.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 23.0.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 23.0.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 23.0.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 23.0.fdexedxfuuyytwq.exe.510000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: 24.2.fdexedxfuuyytwq.exe.740000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
    Source: 24.2.fdexedxfuuyytwq.exe.740000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
    Source: 24.2.fdexedxfuuyytwq.exe.740000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
    Source: 24.2.fdexedxfuuyytwq.exe.740000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
    Source: 24.2.fdexedxfuuyytwq.exe.740000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile created: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeJump to dropped file
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeFile created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeJump to dropped file
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdcgjhjyuyihdastagghejh.lnkJump to behavior
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdcgjhjyuyihdastagghejh.lnkJump to behavior

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (6).png
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\order-181289654312464648.exeFile opened: C:\Users\user\Desktop\order-181289654312464648.exe\:Zone.Identifier read attributes | delete
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeFile opened: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe\:Zone.Identifier read attributes | delete
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\order-181289654312464648.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Users\user\Desktop\order-181289654312464648.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\order-181289654312464648.exeWindow / User API: threadDelayed 1742
    Source: C:\Users\user\Desktop\order-181289654312464648.exeWindow / User API: threadDelayed 8032
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeWindow / User API: threadDelayed 663
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeWindow / User API: threadDelayed 9132
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 1765
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: threadDelayed 7880
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: foregroundWindowGot 490
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWindow / User API: foregroundWindowGot 512
    Source: C:\Users\user\Desktop\order-181289654312464648.exe TID: 1928Thread sleep time: -15679732462653109s >= -30000s
    Source: C:\Users\user\Desktop\order-181289654312464648.exe TID: 1928Thread sleep time: -30000s >= -30000s
    Source: C:\Users\user\Desktop\order-181289654312464648.exe TID: 4712Thread sleep count: 1742 > 30
    Source: C:\Users\user\Desktop\order-181289654312464648.exe TID: 4712Thread sleep count: 8032 > 30
    Source: C:\Users\user\Desktop\order-181289654312464648.exe TID: 1928Thread sleep count: 59 > 30
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe TID: 6924Thread sleep time: -13835058055282155s >= -30000s
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe TID: 6924Thread sleep time: -30000s >= -30000s
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe TID: 6932Thread sleep count: 663 > 30
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe TID: 6932Thread sleep count: 9132 > 30
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe TID: 6924Thread sleep count: 48 > 30
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe TID: 3060Thread sleep time: -7378697629483816s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 5140Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 5492Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 2288Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 6524Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 2140Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 3236Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 3688Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 3064Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe TID: 6636Thread sleep time: -922337203685477s >= -30000s
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: VMware
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vmware svga
    Source: order-181289654312464648.exe, 00000000.00000002.316232468.00000000051A0000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.624653683.00000000064C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vmware
    Source: order-181289654312464648.exe, 00000000.00000002.314823666.00000000039C1000.00000004.00000001.sdmp, fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
    Source: order-181289654312464648.exe, 00000000.00000002.314823666.00000000039C1000.00000004.00000001.sdmp, fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
    Source: order-181289654312464648.exe, 00000000.00000002.314823666.00000000039C1000.00000004.00000001.sdmp, fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vmusrvc
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vmsrvc
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vmtools
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
    Source: order-181289654312464648.exe, 00000000.00000002.316232468.00000000051A0000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.624653683.00000000064C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: order-181289654312464648.exe, 00000000.00000002.316232468.00000000051A0000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.624653683.00000000064C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
    Source: order-181289654312464648.exe, 00000000.00000002.316232468.00000000051A0000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.624653683.00000000064C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: AddInProcess32.exe, 0000000F.00000003.449233955.0000000000BF8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\order-181289654312464648.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 402000
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 420000
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 422000
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 95F008
    Source: C:\Users\user\Desktop\order-181289654312464648.exeProcess created: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe 'C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeProcess created: unknown unknown
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeProcess created: unknown unknown
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616632371.0000000001D20000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp, fdexedxfuuyytwq.exe, 00000016.00000002.608864585.0000000001D80000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000018.00000002.609921970.0000000001780000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001B.00000002.609769452.0000000001D60000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001D.00000002.608183259.0000000001070000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001F.00000002.611380730.0000000001D70000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000021.00000002.611387974.0000000000F90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000023.00000002.608440755.0000000001D90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000026.00000002.609963291.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616632371.0000000001D20000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.611524169.0000000001530000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000016.00000002.608864585.0000000001D80000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000018.00000002.609921970.0000000001780000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001B.00000002.609769452.0000000001D60000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001D.00000002.608183259.0000000001070000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001F.00000002.611380730.0000000001D70000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000021.00000002.611387974.0000000000F90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000023.00000002.608440755.0000000001D90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000026.00000002.609963291.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616632371.0000000001D20000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.611524169.0000000001530000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000016.00000002.608864585.0000000001D80000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000018.00000002.609921970.0000000001780000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001B.00000002.609769452.0000000001D60000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001D.00000002.608183259.0000000001070000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001F.00000002.611380730.0000000001D70000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000021.00000002.611387974.0000000000F90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000023.00000002.608440755.0000000001D90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000026.00000002.609963291.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: AddInProcess32.exe, 0000000F.00000002.624527365.00000000060DD000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
    Source: AddInProcess32.exe, 0000000F.00000002.612718813.0000000002D57000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$+l8`
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616632371.0000000001D20000.00000002.00000001.sdmp, AddInProcess32.exe, 0000000F.00000002.611524169.0000000001530000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000016.00000002.608864585.0000000001D80000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000018.00000002.609921970.0000000001780000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001B.00000002.609769452.0000000001D60000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001D.00000002.608183259.0000000001070000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 0000001F.00000002.611380730.0000000001D70000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000021.00000002.611387974.0000000000F90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000023.00000002.608440755.0000000001D90000.00000002.00000001.sdmp, fdexedxfuuyytwq.exe, 00000026.00000002.609963291.00000000016B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: AddInProcess32.exe, 0000000F.00000002.624363068.0000000005B7C000.00000004.00000001.sdmpBinary or memory string: Program Manager4
    Source: AddInProcess32.exe, 0000000F.00000002.624859083.00000000067EC000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: C:\Users\user\Desktop\order-181289654312464648.exeQueries volume information: C:\Users\user\Desktop\order-181289654312464648.exe VolumeInformation
    Source: C:\Users\user\Desktop\order-181289654312464648.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\order-181289654312464648.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeQueries volume information: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe VolumeInformation
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_06D011A0 GetSystemTimes,
    Source: C:\Users\user\Desktop\order-181289654312464648.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: order-181289654312464648.exe, 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: AddInProcess32.exe, 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1Windows Management Instrumentation1Startup Items1Startup Items1Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobValid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Registry Run Keys / Startup Folder2Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Process Injection312Software Packing11NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder2Timestomp1LSA SecretsSecurity Software Discovery121SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsVirtualization/Sandbox Evasion3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion3/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection312Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronHidden Files and Directories1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 339042 Sample: order-181289654312464648.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->61 63 8 other signatures 2->63 8 order-181289654312464648.exe 6 2->8         started        process3 file4 41 C:\Users\user\...\fdcgjhjyuyihdastagghejh.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->43 dropped 45 fdcgjhjyuyihdastag...exe:Zone.Identifier, ASCII 8->45 dropped 47 C:\Users\...\order-181289654312464648.exe.log, ASCII 8->47 dropped 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->69 12 fdcgjhjyuyihdastagghejh.exe 5 8->12         started        signatures5 process6 file7 49 C:\Users\user\AppData\...\fdexedxfuuyytwq.exe, PE32 12->49 dropped 71 Machine Learning detection for dropped file 12->71 73 Writes to foreign memory regions 12->73 75 Allocates memory in foreign processes 12->75 77 2 other signatures 12->77 16 AddInProcess32.exe 9 12->16         started        21 fdexedxfuuyytwq.exe 2 12->21         started        23 fdexedxfuuyytwq.exe 12->23         started        25 7 other processes 12->25 signatures8 process9 dnsIp10 51 185.157.162.81, 40700, 49741, 49743 OBE-EUROPEObenetworkEuropeSE Sweden 16->51 53 nanopc.linkpc.net 185.157.161.86, 40700, 49747 OBE-EUROPEObenetworkEuropeSE Sweden 16->53 39 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 16->39 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->65 67 Multi AV Scanner detection for dropped file 21->67 27 fdexedxfuuyytwq.exe 21->27         started        55 192.168.2.1 unknown unknown 23->55 29 fdexedxfuuyytwq.exe 23->29         started        31 fdexedxfuuyytwq.exe 25->31         started        33 fdexedxfuuyytwq.exe 25->33         started        35 fdexedxfuuyytwq.exe 25->35         started        37 3 other processes 25->37 file11 signatures12 process13

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    order-181289654312464648.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\AddInProcess32.exe0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe7%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe3%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe7%ReversingLabs

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    15.2.AddInProcess32.exe.5c00000.6.unpack100%AviraTR/NanoCore.fadteDownload File
    15.2.AddInProcess32.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://iptc.tc4xmp30%Avira URL Cloudsafe
    http://ns.ado/Ident0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    nanopc.linkpc.net
    		185.157.161.86
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://iptc.tc4xmp3fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616518111.0000000001789000.00000004.00000040.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://ns.ado/Identfdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616518111.0000000001789000.00000004.00000040.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      185.157.162.81
      		unknownSweden
      		197595OBE-EUROPEObenetworkEuropeSEtrue
      185.157.161.86
      		unknownSweden
      		197595OBE-EUROPEObenetworkEuropeSEfalse

      Private

      IP
      192.168.2.1

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:339042
      Start date:13.01.2021
      Start time:10:15:43
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 14m 33s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:order-181289654312464648.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:40
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@41/29@1/3
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 2.2% (good quality ratio 1.8%)
      • Quality average: 67.9%
      • Quality standard deviation: 33%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • TCP Packets have been reduced to 100
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
      • Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.255.188.83, 23.210.248.85, 51.104.139.180, 92.122.213.194, 92.122.213.247, 2.20.143.16, 2.20.142.210, 2.20.142.209, 51.103.5.159, 20.54.26.129, 51.11.168.160, 20.190.129.2, 40.126.1.128, 40.126.1.166, 20.190.129.133, 20.190.129.128, 40.126.1.145, 40.126.1.130, 20.190.129.160, 52.155.217.156
      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      10:16:39API Interceptor180x Sleep call for process: order-181289654312464648.exe modified
      10:16:43AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdcgjhjyuyihdastagghejh.lnk
      10:17:29API Interceptor194x Sleep call for process: fdcgjhjyuyihdastagghejh.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      185.157.162.8189GsVCJAXv.exeGet hashmaliciousBrowse
        spetsifikatsiya.xlsGet hashmaliciousBrowse
          dpR3o92MH1.exeGet hashmaliciousBrowse
            0qNSJXB8nG.exeGet hashmaliciousBrowse
              7w7LwD8bqe.exeGet hashmaliciousBrowse
                ZZB5zuv1X0.exeGet hashmaliciousBrowse
                  spetsifikatsiya.xlsGet hashmaliciousBrowse
                    ptoovvKZ80.exeGet hashmaliciousBrowse
                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                        EnJsj6nuD4.exeGet hashmaliciousBrowse
                          zlkcd7HSQp.exeGet hashmaliciousBrowse
                            machine.xlsGet hashmaliciousBrowse
                              qdnLoWn1E8.exeGet hashmaliciousBrowse
                                ogYg79jWpR.exeGet hashmaliciousBrowse
                                  ORDER PMX-PT-2001 STOCK+NOVO.exeGet hashmaliciousBrowse
                                    DHL_10177_R293_DOCUMENT.exeGet hashmaliciousBrowse
                                      Order_List_PO# 081928.pdf.exeGet hashmaliciousBrowse
                                        CF09550WJ901.pdf.exeGet hashmaliciousBrowse
                                          Order List PO# 081927.pdf.exeGet hashmaliciousBrowse
                                            Doc#662020094753525765301499.pdf.exeGet hashmaliciousBrowse
                                              185.157.161.86Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                                50404868-c352-422f-a608-7fd64b335eec.exeGet hashmaliciousBrowse
                                                  74725794.pdf.exeGet hashmaliciousBrowse
                                                    Order_List_PO# 0819289.exeGet hashmaliciousBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      nanopc.linkpc.netORDER PMX-PT-2001 STOCK+NOVO.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      DHL_10177_R293_DOCUMENT.exeGet hashmaliciousBrowse
                                                      • 105.112.101.201

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      OBE-EUROPEObenetworkEuropeSEDoc#6620200947535257653.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      Scan_order.exeGet hashmaliciousBrowse
                                                      • 185.157.161.61
                                                      inrfzFzDHR.exeGet hashmaliciousBrowse
                                                      • 45.148.16.42
                                                      SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                                      • 185.157.161.61
                                                      New PO.docGet hashmaliciousBrowse
                                                      • 185.157.161.61
                                                      89GsVCJAXv.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      dpR3o92MH1.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      0qNSJXB8nG.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                                      • 185.157.161.86
                                                      7w7LwD8bqe.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      ZZB5zuv1X0.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      ptoovvKZ80.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      EnJsj6nuD4.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      AdviceSlip.xlsGet hashmaliciousBrowse
                                                      • 217.64.149.169
                                                      DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      OBE-EUROPEObenetworkEuropeSEDoc#6620200947535257653.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      Scan_order.exeGet hashmaliciousBrowse
                                                      • 185.157.161.61
                                                      inrfzFzDHR.exeGet hashmaliciousBrowse
                                                      • 45.148.16.42
                                                      SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                                      • 185.157.161.61
                                                      New PO.docGet hashmaliciousBrowse
                                                      • 185.157.161.61
                                                      89GsVCJAXv.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      dpR3o92MH1.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      0qNSJXB8nG.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      Order_1101201918_AUTECH.exeGet hashmaliciousBrowse
                                                      • 185.157.161.86
                                                      7w7LwD8bqe.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      ZZB5zuv1X0.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      ptoovvKZ80.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      spetsifikatsiya.xlsGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      EnJsj6nuD4.exeGet hashmaliciousBrowse
                                                      • 185.157.162.81
                                                      AdviceSlip.xlsGet hashmaliciousBrowse
                                                      • 217.64.149.169
                                                      DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233
                                                      DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                      • 185.157.160.233

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      C:\Users\user\AppData\Local\Temp\AddInProcess32.exePO_60577.exeGet hashmaliciousBrowse
                                                        IMG_73344332#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                                          Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                                                            Doc#6620200947535257653.exeGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Generic.mg.15368412abd71685.exeGet hashmaliciousBrowse
                                                                RT-05723.exeGet hashmaliciousBrowse
                                                                  Dekont.pdf.exeGet hashmaliciousBrowse
                                                                    cFAWQ1mv83.exeGet hashmaliciousBrowse
                                                                      I7313Y5Rr2.exeGet hashmaliciousBrowse
                                                                        SWIFT-COPY Payment advice3243343.exeGet hashmaliciousBrowse
                                                                          bWVvaTptgL.exeGet hashmaliciousBrowse
                                                                            umOXxQ9PFS.exeGet hashmaliciousBrowse
                                                                              BL,IN&PL.exeGet hashmaliciousBrowse
                                                                                ORDER #0554.exeGet hashmaliciousBrowse
                                                                                  Dekont.pdf.exeGet hashmaliciousBrowse
                                                                                    IMG_84755643#U00e2#U20ac#U00aegpj.exeGet hashmaliciousBrowse
                                                                                      8WLxD8uxRN.exeGet hashmaliciousBrowse
                                                                                        Quotation.exeGet hashmaliciousBrowse
                                                                                          e-dekont.html.exeGet hashmaliciousBrowse
                                                                                            Dekont.pdf.exeGet hashmaliciousBrowse
                                                                                              C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeSecuriteInfo.com.Generic.mg.5a4b41327cabca49.exeGet hashmaliciousBrowse
                                                                                                SecuriteInfo.com.FileRepMalware.exeGet hashmaliciousBrowse
                                                                                                  TD-10057.exeGet hashmaliciousBrowse
                                                                                                    FedExAWB 772584418730.docGet hashmaliciousBrowse
                                                                                                      Doc#6620200947535257653.exeGet hashmaliciousBrowse
                                                                                                        TD-10057.docGet hashmaliciousBrowse
                                                                                                          ndSscoDob9.exeGet hashmaliciousBrowse
                                                                                                            SecuriteInfo.com.Generic.mg.15368412abd71685.exeGet hashmaliciousBrowse
                                                                                                              QL-0217.docGet hashmaliciousBrowse
                                                                                                                DXXJmIDl3C.exeGet hashmaliciousBrowse
                                                                                                                  0YdVJ6vqhO.exeGet hashmaliciousBrowse
                                                                                                                    RT-05723.exeGet hashmaliciousBrowse
                                                                                                                      RT-05723.docGet hashmaliciousBrowse
                                                                                                                        DHL_file 187652345643476245.exeGet hashmaliciousBrowse
                                                                                                                          Order_1101201918_AUTECH.exeGet hashmaliciousBrowse

                                                                                                                            Created / dropped Files

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fdexedxfuuyytwq.exe.log
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1362
                                                                                                                            Entropy (8bit):5.343186145897752
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovj
                                                                                                                            MD5:1249251E90A1C28AB8F7235F30056DEB
                                                                                                                            SHA1:166BA6B64E9B0D9BA7B856334F7D7EC027030BA1
                                                                                                                            SHA-256:B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
                                                                                                                            SHA-512:FD880C5B12B22241F67139ABD09B99ACE7A4DD24635FC6B340A3E7C463E2AEF3FA68EF647352132934BC1F8CA134F46064049449ACB67954BEDDEA9AA9670885
                                                                                                                            Malicious:false
                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order-181289654312464648.exe.log
                                                                                                                            Process:C:\Users\user\Desktop\order-181289654312464648.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):1451
                                                                                                                            Entropy (8bit):5.345862727722058
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                                                                                                                            MD5:06F54CDBFEF62849AF5AE052722BD7B6
                                                                                                                            SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                                                                                                                            SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                                                                                                                            SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                                                                                                                            Malicious:true
                                                                                                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                                                                                            C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            Process:C:\Users\user\Desktop\order-181289654312464648.exe
                                                                                                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):42080
                                                                                                                            Entropy (8bit):6.2125074198825105
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:gc3JOvwWj8Gpw0A67dOpRIMKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+QsPZw:g4JU8g17dl6Iq88MoBd7mFViqM5sL2
                                                                                                                            MD5:F2A47587431C466535F3C3D3427724BE
                                                                                                                            SHA1:90DF719241CE04828F0DD4D31D683F84790515FF
                                                                                                                            SHA-256:23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
                                                                                                                            SHA-512:E9D0819478DDDA47763C7F5F617CD258D0FACBBBFFE0C7A965EDE9D0D884A6D7BB445820A3FD498B243BBD8BECBA146687B61421745E32B86272232C6F9E90D8
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                            Joe Sandbox View:
                                                                                                                            • Filename: PO_60577.exe, Detection: malicious, Browse
                                                                                                                            • Filename: IMG_73344332#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Doc#6620200947535257653.exe, Detection: malicious, Browse
                                                                                                                            • Filename: SecuriteInfo.com.Generic.mg.15368412abd71685.exe, Detection: malicious, Browse
                                                                                                                            • Filename: RT-05723.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                                                                            • Filename: cFAWQ1mv83.exe, Detection: malicious, Browse
                                                                                                                            • Filename: I7313Y5Rr2.exe, Detection: malicious, Browse
                                                                                                                            • Filename: SWIFT-COPY Payment advice3243343.exe, Detection: malicious, Browse
                                                                                                                            • Filename: bWVvaTptgL.exe, Detection: malicious, Browse
                                                                                                                            • Filename: umOXxQ9PFS.exe, Detection: malicious, Browse
                                                                                                                            • Filename: BL,IN&PL.exe, Detection: malicious, Browse
                                                                                                                            • Filename: ORDER #0554.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                                                                            • Filename: IMG_84755643#U00e2#U20ac#U00aegpj.exe, Detection: malicious, Browse
                                                                                                                            • Filename: 8WLxD8uxRN.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Quotation.exe, Detection: malicious, Browse
                                                                                                                            • Filename: e-dekont.html.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Dekont.pdf.exe, Detection: malicious, Browse
                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..X...........w... ........@.. ...................................`.................................Hw..O....... ............f..`>...........v............................................... ............... ..H............text....W... ...X.................. ..`.rsrc... ............Z..............@..@.reloc...............d..............@..B................|w......H........#...Q...................u.......................................0..K........-..*..i....*...r...p.o....,....r...p.o....-..*.....o......o.....$...*.....o....(....(......:...(....o......r...p.o.......4........o......... ........o......s ........o!...s".....s#.......r]..prg..po$.....r...p.o$.....r...pr...po$.........s.........(%.....tB...r...p(&...&..r...p.('...s(.......o)...&..o*....(+...o,.....&...(-....*.......3..@......R...s.....s....(....*:.(/.....}P...*J.{P....o0..
                                                                                                                            C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Process:C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):78336
                                                                                                                            Entropy (8bit):4.369296705546591
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:768:jlU4+MS3Fu0thSOV4GM0SuHk9Oh/1TRIWUk7NlfaNV9KQLxXXSv:l6o03IGMLuHk+Ck5lfaNP7xSv
                                                                                                                            MD5:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            SHA1:590D860B909804349E0CDC2F1662B37BD62F7463
                                                                                                                            SHA-256:2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
                                                                                                                            SHA-512:518991B68496B3F8545E418CF9B345E0791E09CC20D177B8AA47E0ABA447AA55383C64F5BDACA39F2B061A5D08C16F2AD484AF8A9F238CA23AB081618FBA3AD3
                                                                                                                            Malicious:false
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Virustotal, Detection: 7%, Browse
                                                                                                                            • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                            • Antivirus: ReversingLabs, Detection: 7%
                                                                                                                            Joe Sandbox View:
                                                                                                                            • Filename: SecuriteInfo.com.Generic.mg.5a4b41327cabca49.exe, Detection: malicious, Browse
                                                                                                                            • Filename: SecuriteInfo.com.FileRepMalware.exe, Detection: malicious, Browse
                                                                                                                            • Filename: TD-10057.exe, Detection: malicious, Browse
                                                                                                                            • Filename: FedExAWB 772584418730.doc, Detection: malicious, Browse
                                                                                                                            • Filename: Doc#6620200947535257653.exe, Detection: malicious, Browse
                                                                                                                            • Filename: TD-10057.doc, Detection: malicious, Browse
                                                                                                                            • Filename: ndSscoDob9.exe, Detection: malicious, Browse
                                                                                                                            • Filename: SecuriteInfo.com.Generic.mg.15368412abd71685.exe, Detection: malicious, Browse
                                                                                                                            • Filename: QL-0217.doc, Detection: malicious, Browse
                                                                                                                            • Filename: DXXJmIDl3C.exe, Detection: malicious, Browse
                                                                                                                            • Filename: 0YdVJ6vqhO.exe, Detection: malicious, Browse
                                                                                                                            • Filename: RT-05723.exe, Detection: malicious, Browse
                                                                                                                            • Filename: RT-05723.doc, Detection: malicious, Browse
                                                                                                                            • Filename: DHL_file 187652345643476245.exe, Detection: malicious, Browse
                                                                                                                            • Filename: Order_1101201918_AUTECH.exe, Detection: malicious, Browse
                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y ................P..&...........D... ........@.. ....................................`..................................D..W....`..............................hD............................................... ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc...............0..............@..B.................D......H.......l....%......)....................................................0..6.......(8...t....&.(8...t....&......(8...t...................8;....8%.....(8...t....&.(8...t............:.....(8...t....:.....(8...t....:....(8...t....................................\:@....(8...t....&.)...&8.....(8...t....&(8...t....&.....:.......8x........:L...88....(8...t....&(8...t....&(8...t....&(8...t.....................:....8!.....(8...t....&......(8...t....&.....(8...t....:8.....(8...t....&.
                                                                                                                            C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.txt
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):72
                                                                                                                            Entropy (8bit):4.885154258886507
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:uVNWXp5cViEaKC5dVPF9OA1YnXVy:uVNWXp+NaZ5rPF9O2Ync
                                                                                                                            MD5:EACC6D9F7D6EFE25CB48137E7064F313
                                                                                                                            SHA1:1E767634BE3B749B6549F3101A09E2715859558B
                                                                                                                            SHA-256:DBDFB40802DF3D9FA9923C7186586AEAB2985126EFB203E78A7CE2B53546F6D8
                                                                                                                            SHA-512:0C3187B94CEFAAFD731D504E17D602D14A2819A68B239444BDA6135476F7EDCEC6B0A017E2762C59ADDAFDC405B884373A608CE3A9A9DB8087C62B6F330159CB
                                                                                                                            Malicious:false
                                                                                                                            Preview: 6692..C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe..7120..
                                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):232
                                                                                                                            Entropy (8bit):7.024371743172393
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                                                                                            MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                                                                                            SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                                                                                            SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                                                                                            SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                                                                                            Malicious:false
                                                                                                                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):8
                                                                                                                            Entropy (8bit):3.0
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:TOt:TOt
                                                                                                                            MD5:9DCCFC1428F275A4E2429AFEA104655B
                                                                                                                            SHA1:4C4AAC284536CFB553FEBE32DF9D4C8DAEB47741
                                                                                                                            SHA-256:F8026D5E1B4CA4035C68C75F13026580B0A5B39CC6663D238FC92FD2D139D359
                                                                                                                            SHA-512:E320E38E187436748EE236F6F11EEAF7C61DC9C14A96A271E97A3EF8B6F22DD9C79F783FF5F48CBBF5FE7A64E15F38B52AC817C088FABCE9FE4757236C78D887
                                                                                                                            Malicious:true
                                                                                                                            Preview: J=...H
                                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40
                                                                                                                            Entropy (8bit):5.153055907333276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                                                                                            MD5:4E5E92E2369688041CC82EF9650EDED2
                                                                                                                            SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                                                                                            SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                                                                                            SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                                                                                            Malicious:false
                                                                                                                            Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                                                                                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                                                                            Process:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):327432
                                                                                                                            Entropy (8bit):7.99938831605763
                                                                                                                            Encrypted:true
                                                                                                                            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                                                                                            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                                                                                            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                                                                                            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                                                                                            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                                                                                            Malicious:false
                                                                                                                            Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdcgjhjyuyihdastagghejh.lnk
                                                                                                                            Process:C:\Users\user\Desktop\order-181289654312464648.exe
                                                                                                                            File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1008
                                                                                                                            Entropy (8bit):3.2517421808078684
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:8wl06sXou41w/tz0/CSLMeI2DsAMPHAMYmO3qMJCHAM2gTCNfBT/v4t2Y+xIBjK:8Rf4eWLZ//7DPthJVpd7aB
                                                                                                                            MD5:FB516F578D9499D6DB698AE541F8FCCB
                                                                                                                            SHA1:E26C9B2F619BCD1216E1C17689392BAF50E202C9
                                                                                                                            SHA-256:7EA8400005E701A3C980DE2BAB4EE042A927863E50689A81F79BAEE90CCF72EA
                                                                                                                            SHA-512:EC1BF91EC555919605675732417D32E94B9C53AA063A6823042DD59010317C15EE0599C2BD3E5E4CC622226625E29E29B69E56C2BD7588124A0081D446B3761B
                                                                                                                            Malicious:false
                                                                                                                            Preview: L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................h.a.r.d.z.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.......2...........fdcgjhjyuyihdastagghejh.exe.h............................................f.d.c.g.j.h.j.y.u.y.i.h.d.a.s.t.a.g.g.h.e.j.h...e.x.e...*...*.....\.....\.....\.....\.....\.f.d.c.g.j.h.j.y.u.y.i.h.d.a.s.t.a.g.g.h.e.j.h...e.x.e.:.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.f.d.c.g.j.h.j.y.u.y.i.h.d.a.s.t.a.g.g.h.e.j.h...e.x.e.............y.............>.e.L.:..er.=y...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........
                                                                                                                            C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe
                                                                                                                            Process:C:\Users\user\Desktop\order-181289654312464648.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5815808
                                                                                                                            Entropy (8bit):7.8329710414512155
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:98304:3QRUDjYYo/PJhTLqj7tLS+5xZEU2ytc40Gk15GhYwfxK+gEwj7u/B:3QRUIzTLq75x+U/tc9GrhPAFOJ
                                                                                                                            MD5:28DA42C2CD57E51CB8EA7DF263802924
                                                                                                                            SHA1:81C980F2CDA9B42B0B8BF50C7128CC88AFD942FD
                                                                                                                            SHA-256:2D564AE361EB499CA493273E9FCFB88546105C88293C7633A7E1580A435CEE9F
                                                                                                                            SHA-512:594EF84101106F21760953B8DD2660CAA21FC6F08790B588875781B1233586A000CFAE1D3A3001A1221762A08F18705E401C5AF60F25D7E37032335346D9F828
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..9..................U...........V.. ........@.. ........................Y...........`.................................T.V.W.... V.J.....................X...................................................... ............... ..H............text.....U.. ....U................. ..`.rsrc...J.... V.......V.............@..@.reloc........X.......X.............@..B..................V.....H.......\.U..&......P....B...R.......................................... .........%.....(......... "........%.....(.........*...0....................................(....t.... ...H(:...t....&.N&..... ..j.(:...t...........................-.+..(....t....&.............-.....+J......-:.....(....t............ ...........(:...t.....(:...t....&......-.........(....t.... |-........(:...t....(....t..........(:...t....:p....(....t........\:....+w......(....t.....(....t........ ..c(:
                                                                                                                            C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe:Zone.Identifier
                                                                                                                            Process:C:\Users\user\Desktop\order-181289654312464648.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):26
                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                            Malicious:true
                                                                                                                            Preview: [ZoneTransfer]....ZoneId=0

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                            Entropy (8bit):7.8329710414512155
                                                                                                                            TrID:
                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                                            File name:order-181289654312464648.exe
                                                                                                                            File size:5815808
                                                                                                                            MD5:28da42c2cd57e51cb8ea7df263802924
                                                                                                                            SHA1:81c980f2cda9b42b0b8bf50c7128cc88afd942fd
                                                                                                                            SHA256:2d564ae361eb499ca493273e9fcfb88546105c88293c7633a7e1580a435cee9f
                                                                                                                            SHA512:594ef84101106f21760953b8dd2660caa21fc6f08790b588875781b1233586a000cfae1d3a3001a1221762a08f18705e401c5af60f25d7e37032335346d9f828
                                                                                                                            SSDEEP:98304:3QRUDjYYo/PJhTLqj7tLS+5xZEU2ytc40Gk15GhYwfxK+gEwj7u/B:3QRUIzTLq75x+U/tc9GrhPAFOJ
                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..9..................U...........V.. ........@.. ........................Y...........`................................

                                                                                                                            File Icon

                                                                                                                            Icon Hash:c6a9989ae8ccb6cc

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0x961cae
                                                                                                                            Entrypoint Section:.text
                                                                                                                            Digitally signed:false
                                                                                                                            Imagebase:0x400000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                                            Time Stamp:0x39BE9B63 [Tue Sep 12 21:08:51 2000 UTC]
                                                                                                                            TLS Callbacks:
                                                                                                                            CLR (.Net) Version:v4.0.30319
                                                                                                                            OS Version Major:4
                                                                                                                            OS Version Minor:0
                                                                                                                            File Version Major:4
                                                                                                                            File Version Minor:0
                                                                                                                            Subsystem Version Major:4
                                                                                                                            Subsystem Version Minor:0
                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            jmp dword ptr [00402000h]
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al
                                                                                                                            add byte ptr [eax], al

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x561c540x57.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x5620000x2ba4a.rsrc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x58e0000xc.reloc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            .text0x20000x55fcb40x55fe00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                            .rsrc0x5620000x2ba4a0x2bc00False0.236199776786data5.5567301511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .reloc0x58e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                            Resources

                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                            RT_ICON0x5622b00x39bcPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                            RT_ICON0x565c6c0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                                                            RT_ICON0x5764940x94a8data
                                                                                                                            RT_ICON0x57f93c0x5488data
                                                                                                                            RT_ICON0x584dc40x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 254, next used block 520093696
                                                                                                                            RT_ICON0x588fec0x25a8data
                                                                                                                            RT_ICON0x58b5940x10a8data
                                                                                                                            RT_ICON0x58c63c0x988data
                                                                                                                            RT_ICON0x58cfc40x468GLS_BINARY_LSB_FIRST
                                                                                                                            RT_GROUP_ICON0x58d42c0x84data
                                                                                                                            RT_VERSION0x58d4b00x3b0data
                                                                                                                            RT_MANIFEST0x58d8600x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            mscoree.dll_CorExeMain

                                                                                                                            Version Infos

                                                                                                                            DescriptionData
                                                                                                                            Translation0x0000 0x04b0
                                                                                                                            LegalCopyrightCopyright 2010 ?;BH8HG?:@DJDEDB753GC
                                                                                                                            Assembly Version1.0.0.0
                                                                                                                            InternalNamehugefrssaw.exe
                                                                                                                            FileVersion7.10.13.17
                                                                                                                            CompanyName?;BH8HG?:@DJDEDB753GC
                                                                                                                            Comments3:7=7B8D46?BJC<65<C>8?
                                                                                                                            ProductNameGJJ=2H538>53D9C4CD
                                                                                                                            ProductVersion7.10.13.17
                                                                                                                            FileDescriptionGJJ=2H538>53D9C4CD
                                                                                                                            OriginalFilenamehugefrssaw.exe

                                                                                                                            Network Behavior

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Jan 13, 2021 10:18:05.183847904 CET4974140700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:05.265274048 CET4070049741185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:05.772847891 CET4974140700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:05.858684063 CET4070049741185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:06.366697073 CET4974140700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:06.448652029 CET4070049741185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:10.541047096 CET4974340700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:10.624140024 CET4070049743185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:11.132726908 CET4974340700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:11.221738100 CET4070049743185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:11.726533890 CET4974340700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:11.816729069 CET4070049743185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:16.591576099 CET4974440700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:16.685046911 CET4070049744185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:17.195848942 CET4974440700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:17.294382095 CET4070049744185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:17.805157900 CET4974440700192.168.2.3185.157.162.81
                                                                                                                            Jan 13, 2021 10:18:17.886883020 CET4070049744185.157.162.81192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:22.147533894 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:22.430186033 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:22.430293083 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:22.464010000 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:22.758575916 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:22.758668900 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:23.191312075 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:23.191379070 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:23.605516911 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:23.633533955 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:23.958090067 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.070549965 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.083247900 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.083295107 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.083316088 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.083338976 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.083389044 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.083417892 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.083436966 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.083726883 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.085408926 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.087407112 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.087611914 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.089659929 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.090418100 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.090538025 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.357623100 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.357680082 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.357753992 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.359256983 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.361134052 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.361207962 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.362083912 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.362200022 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.362242937 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.362272978 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.363096952 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.363154888 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.365103960 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.366099119 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.366158009 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.368100882 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.369003057 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.369066000 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.390433073 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.391096115 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.391381979 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.392076969 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.395148993 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.395257950 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.396030903 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.398098946 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.398341894 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.399117947 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.400033951 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.400301933 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.629337072 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.630142927 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.630208969 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.631036997 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.633137941 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.633208990 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.634157896 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.636156082 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.636291027 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.637115002 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.646197081 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.646245956 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.646256924 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.646291018 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.646372080 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.651071072 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.651117086 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.651154041 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.651186943 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.651247978 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.651350975 CET4974740700192.168.2.3185.157.161.86
                                                                                                                            Jan 13, 2021 10:18:24.651381016 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.677258968 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.677321911 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.677360058 CET4070049747185.157.161.86192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:24.677427053 CET4974740700192.168.2.3185.157.161.86

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Jan 13, 2021 10:16:25.588076115 CET5836153192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:25.636162996 CET53583618.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:26.546324968 CET6349253192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:26.597145081 CET53634928.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:27.383486986 CET6083153192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:27.447304964 CET53608318.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:28.179534912 CET6010053192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:28.230333090 CET53601008.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:29.101223946 CET5319553192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:29.149468899 CET53531958.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:30.176811934 CET5014153192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:30.227729082 CET53501418.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:31.113049030 CET5302353192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:31.160996914 CET53530238.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:32.278944016 CET4956353192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:32.326936960 CET53495638.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:33.979722977 CET5135253192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:34.027630091 CET53513528.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:34.787209034 CET5934953192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:34.835278988 CET53593498.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:35.579917908 CET5708453192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:35.628056049 CET53570848.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:36.404805899 CET5882353192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:36.452902079 CET53588238.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:37.318686962 CET5756853192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:37.366640091 CET53575688.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:16:38.166954041 CET5054053192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:16:38.218033075 CET53505408.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:00.392678022 CET5436653192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:00.451812983 CET53543668.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:07.054548979 CET5303453192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:07.102667093 CET53530348.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:10.299029112 CET5776253192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:10.356970072 CET53577628.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:14.910196066 CET5543553192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:14.968230963 CET53554358.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:16.544255972 CET5071353192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:16.603800058 CET53507138.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:19.857759953 CET5613253192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:19.918687105 CET53561328.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:17:28.169715881 CET5898753192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:17:28.234174013 CET53589878.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:04.993757010 CET5657953192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:18:05.041783094 CET53565798.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:05.433362007 CET6063353192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:18:05.497874022 CET53606338.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:21.244446993 CET6129253192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:18:21.308711052 CET53612928.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:21.970290899 CET6361953192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:18:22.055340052 CET6493853192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:18:22.103426933 CET53649388.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:18:22.143655062 CET53636198.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:14.275618076 CET6194653192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:14.360590935 CET53619468.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:14.806078911 CET6491053192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:14.862519026 CET53649108.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:15.392956018 CET5212353192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:15.462754965 CET53521238.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:15.920629025 CET5613053192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:15.980170965 CET53561308.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:16.363198042 CET5633853192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:16.419696093 CET53563388.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:16.858954906 CET5942053192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:16.915719986 CET53594208.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:17.363606930 CET5878453192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:17.411675930 CET53587848.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:17.964610100 CET6397853192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:18.020894051 CET53639788.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:18.641583920 CET6293853192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:18.700896978 CET53629388.8.8.8192.168.2.3
                                                                                                                            Jan 13, 2021 10:19:19.112045050 CET5570853192.168.2.38.8.8.8
                                                                                                                            Jan 13, 2021 10:19:19.168608904 CET53557088.8.8.8192.168.2.3

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                            Jan 13, 2021 10:18:21.970290899 CET192.168.2.38.8.8.80x3f77Standard query (0)nanopc.linkpc.netA (IP address)IN (0x0001)

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                            Jan 13, 2021 10:18:21.308711052 CET8.8.8.8192.168.2.30xddbcNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                                            Jan 13, 2021 10:18:22.143655062 CET8.8.8.8192.168.2.30x3f77No error (0)nanopc.linkpc.net185.157.161.86A (IP address)IN (0x0001)

                                                                                                                            Code Manipulations

                                                                                                                            Statistics

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            Analysis Process: order-181289654312464648.exe PID: 5964 Parent PID: 5652

                                                                                                                            General

                                                                                                                            Start time:10:16:32
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\Desktop\order-181289654312464648.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\Desktop\order-181289654312464648.exe'
                                                                                                                            Imagebase:0x50000
                                                                                                                            File size:5815808 bytes
                                                                                                                            MD5 hash:28DA42C2CD57E51CB8EA7DF263802924
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Yara matches:
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            Reputation:low

                                                                                                                            Analysis Process: fdcgjhjyuyihdastagghejh.exe PID: 6692 Parent PID: 5964

                                                                                                                            General

                                                                                                                            Start time:10:17:19
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe'
                                                                                                                            Imagebase:0x8c0000
                                                                                                                            File size:5815808 bytes
                                                                                                                            MD5 hash:28DA42C2CD57E51CB8EA7DF263802924
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Yara matches:
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                            Reputation:low

                                                                                                                            Analysis Process: AddInProcess32.exe PID: 4316 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:17:59
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
                                                                                                                            Imagebase:0x6a0000
                                                                                                                            File size:42080 bytes
                                                                                                                            MD5 hash:F2A47587431C466535F3C3D3427724BE
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Yara matches:
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.620423784.0000000003E84000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.619550033.0000000003C3E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                            • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 0%, Virustotal, Browse
                                                                                                                            • Detection: 0%, Metadefender, Browse
                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 5168 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:09
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x860000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 7%, Virustotal, Browse
                                                                                                                            • Detection: 3%, Metadefender, Browse
                                                                                                                            • Detection: 7%, ReversingLabs
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 5188 Parent PID: 5168

                                                                                                                            General

                                                                                                                            Start time:10:18:12
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xda0000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 5688 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:15
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x510000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 3564 Parent PID: 5688

                                                                                                                            General

                                                                                                                            Start time:10:18:18
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x740000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 1048 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:21
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x220000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 5044 Parent PID: 1048

                                                                                                                            General

                                                                                                                            Start time:10:18:23
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xd80000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6328 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:27
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xff0000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6816 Parent PID: 6328

                                                                                                                            General

                                                                                                                            Start time:10:18:29
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x170000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6880 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:32
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x650000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6708 Parent PID: 6880

                                                                                                                            General

                                                                                                                            Start time:10:18:36
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xf70000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6800 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:40
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xd60000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 5504 Parent PID: 6800

                                                                                                                            General

                                                                                                                            Start time:10:18:42
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x10000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6124 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:46
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xe20000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6892 Parent PID: 6124

                                                                                                                            General

                                                                                                                            Start time:10:18:48
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xe70000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                            Reputation:moderate

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 2792 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:18:54
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0xcf0000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 6936 Parent PID: 2792

                                                                                                                            General

                                                                                                                            Start time:10:18:57
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x830000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                            Analysis Process: fdexedxfuuyytwq.exe PID: 7120 Parent PID: 6692

                                                                                                                            General

                                                                                                                            Start time:10:19:01
                                                                                                                            Start date:13/01/2021
                                                                                                                            Path:C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe'
                                                                                                                            Imagebase:0x5c0000
                                                                                                                            File size:78336 bytes
                                                                                                                            MD5 hash:0E362E7005823D0BEC3719B902ED6D62
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                            Disassembly

                                                                                                                            Code Analysis

                                                                                                                            Reset < >