Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New Order 632487 PDF.exe

Overview

General Information

Sample Name:New Order 632487 PDF.exe
Analysis ID:357128
MD5:6bb37fbe7ff7b15c6b20a788ba9d46ff
SHA1:e0f33af458168bccf87fa98638192626c1053ccf
SHA256:2a65da255eb2ee6ce3c4f2a9ce64e9a48491325bb44bd0fda7c95b6a5db64a41
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SGDT)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • New Order 632487 PDF.exe (PID: 6284 cmdline: 'C:\Users\user\Desktop\New Order 632487 PDF.exe' MD5: 6BB37FBE7FF7B15C6B20A788BA9D46FF)
    • a.exe (PID: 6132 cmdline: 'C:\Users\user\AppData\Roaming\a.exe' MD5: 6BB37FBE7FF7B15C6B20A788BA9D46FF)
  • a.exe (PID: 7084 cmdline: 'C:\Users\user\AppData\Roaming\a.exe' MD5: 6BB37FBE7FF7B15C6B20A788BA9D46FF)
    • InstallUtil.exe (PID: 6160 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • dhcpmon.exe (PID: 5440 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "d2ce8aef-f90b-4d6a-b5b0-ecbe54404c6b", "Group": "BOTS", "Domain1": "forcesbots.ddns.net", "Domain2": "forcesbots.ddns.net", "Port": 7767, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x42ed7:$x1: NanoCore.ClientPluginHost
  • 0x75a97:$x1: NanoCore.ClientPluginHost
  • 0xa8647:$x1: NanoCore.ClientPluginHost
  • 0x42f14:$x2: IClientNetworkHost
  • 0x75ad4:$x2: IClientNetworkHost
  • 0xa8684:$x2: IClientNetworkHost
  • 0x46a47:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x79607:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0xac1b7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x42c3f:$a: NanoCore
    • 0x42c4f:$a: NanoCore
    • 0x42e83:$a: NanoCore
    • 0x42e97:$a: NanoCore
    • 0x42ed7:$a: NanoCore
    • 0x757ff:$a: NanoCore
    • 0x7580f:$a: NanoCore
    • 0x75a43:$a: NanoCore
    • 0x75a57:$a: NanoCore
    • 0x75a97:$a: NanoCore
    • 0xa83af:$a: NanoCore
    • 0xa83bf:$a: NanoCore
    • 0xa85f3:$a: NanoCore
    • 0xa8607:$a: NanoCore
    • 0xa8647:$a: NanoCore
    • 0x42c9e:$b: ClientPlugin
    • 0x42ea0:$b: ClientPlugin
    • 0x42ee0:$b: ClientPlugin
    • 0x7585e:$b: ClientPlugin
    • 0x75a60:$b: ClientPlugin
    • 0x75aa0:$b: ClientPlugin
    00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x2ef5:$a: NanoCore
      • 0x2f4e:$a: NanoCore
      • 0x2f8b:$a: NanoCore
      • 0x3004:$a: NanoCore
      • 0x166af:$a: NanoCore
      • 0x166c4:$a: NanoCore
      • 0x166f9:$a: NanoCore
      • 0x2f17b:$a: NanoCore
      • 0x2f190:$a: NanoCore
      • 0x2f1c5:$a: NanoCore
      • 0x2f57:$b: ClientPlugin
      • 0x2f94:$b: ClientPlugin
      • 0x3892:$b: ClientPlugin
      • 0x389f:$b: ClientPlugin
      • 0x1646b:$b: ClientPlugin
      • 0x16486:$b: ClientPlugin
      • 0x164b6:$b: ClientPlugin
      • 0x166cd:$b: ClientPlugin
      • 0x16702:$b: ClientPlugin
      • 0x2ef37:$b: ClientPlugin
      • 0x2ef52:$b: ClientPlugin
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.InstallUtil.exe.5290000.10.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      9.2.InstallUtil.exe.5290000.10.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      9.2.InstallUtil.exe.5290000.10.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        Click to see the 107 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6160, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "d2ce8aef-f90b-4d6a-b5b0-ecbe54404c6b", "Group": "BOTS", "Domain1": "forcesbots.ddns.net", "Domain2": "forcesbots.ddns.net", "Port": 7767, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\a.exeMetadefender: Detection: 16%Perma Link
        Source: C:\Users\user\AppData\Roaming\a.exeReversingLabs: Detection: 82%
        Multi AV Scanner detection for submitted fileShow sources
        Source: New Order 632487 PDF.exeVirustotal: Detection: 42%Perma Link
        Source: New Order 632487 PDF.exeMetadefender: Detection: 16%Perma Link
        Source: New Order 632487 PDF.exeReversingLabs: Detection: 82%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.493457156.0000000002921000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: a.exe PID: 7084, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORY
        Source: Yara matchFile source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\a.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: New Order 632487 PDF.exeJoe Sandbox ML: detected
        Source: 9.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.2.InstallUtil.exe.5290000.10.unpackAvira: Label: TR/NanoCore.fadte

        Compliance:

        barindex
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: New Order 632487 PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
        Binary contains paths to debug symbolsShow sources
        Source: Binary string: ?\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.491442052.0000000000E43000.00000004.00000020.sdmp
        Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000003.302155078.0000000000E91000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000000.321576559.0000000000792000.00000002.00020000.sdmp, dhcpmon.exe.9.dr
        Source: Binary string: orlib.pdb source: InstallUtil.exe, 00000009.00000002.491442052.0000000000E43000.00000004.00000020.sdmp
        Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, dhcpmon.exe.9.dr
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]0_2_025A52DF
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 4x nop then mov eax, dword ptr [ebp-2Ch]0_2_025A5C8A
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 4x nop then jmp 07212E56h0_2_07212690
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_07219298
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 4x nop then mov esp, ebp0_2_0721A9D8
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_0721B8C0
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 4x nop then jmp 07212E56h0_2_07212680
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_07219288
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 4x nop then mov esp, ebp0_2_0721A9C9
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_0721B8B1
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]6_2_04C452F0
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]6_2_04C452DF
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then mov eax, dword ptr [ebp-2Ch]6_2_04C45C8A
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then jmp 05F72E56h6_2_05F72690
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_05F79298
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then jmp 05F72E56h6_2_05F72680
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]6_2_05F79288
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_02C752F0
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_02C752DF
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then mov eax, dword ptr [ebp-2Ch]7_2_02C75C8A
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 4x nop then mov eax, dword ptr [ebp-2Ch]7_2_02C75CB2

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: forcesbots.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: forcesbots.ddns.net
        Source: global trafficTCP traffic: 192.168.2.3:49724 -> 193.218.118.85:7767
        Source: Joe Sandbox ViewIP Address: 193.218.118.85 193.218.118.85
        Source: Joe Sandbox ViewASN Name: EPINATURAUA EPINATURAUA
        Source: unknownDNS traffic detected: queries for: forcesbots.ddns.net
        Source: a.exe, 00000007.00000002.286882790.0000000002CEE000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
        Source: New Order 632487 PDF.exe, 00000000.00000003.224354770.0000000008982000.00000004.00000001.sdmp, a.exe, 00000006.00000003.266327505.0000000008A72000.00000004.00000001.sdmpString found in binary or memory: http://ns.adb
        Source: New Order 632487 PDF.exe, 00000000.00000003.232281575.0000000008982000.00000004.00000001.sdmp, New Order 632487 PDF.exe, 00000000.00000003.279683656.0000000008989000.00000004.00000001.sdmp, a.exe, 00000006.00000003.269005618.0000000008A72000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
        Source: New Order 632487 PDF.exe, 00000000.00000003.232281575.0000000008982000.00000004.00000001.sdmp, New Order 632487 PDF.exe, 00000000.00000003.279683656.0000000008989000.00000004.00000001.sdmp, a.exe, 00000006.00000003.269005618.0000000008A72000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
        Source: New Order 632487 PDF.exe, 00000000.00000003.232281575.0000000008982000.00000004.00000001.sdmp, New Order 632487 PDF.exe, 00000000.00000003.279683656.0000000008989000.00000004.00000001.sdmp, a.exe, 00000006.00000003.269005618.0000000008A72000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
        Source: a.exe, 00000007.00000002.286882790.0000000002CEE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
        Source: a.exe, 00000007.00000002.286882790.0000000002CEE000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
        Source: New Order 632487 PDF.exe, 00000000.00000002.283382208.00000000027CD000.00000004.00000001.sdmp, a.exe, 00000006.00000002.492633026.000000000272D000.00000004.00000001.sdmp, a.exe, 00000006.00000002.492720693.0000000002743000.00000004.00000001.sdmp, a.exe, 00000007.00000002.286925043.0000000002D04000.00000004.00000001.sdmp, a.exe, 00000007.00000002.286882790.0000000002CEE000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
        Source: New Order 632487 PDF.exe, 00000000.00000002.283313795.00000000027A1000.00000004.00000001.sdmp, a.exe, 00000006.00000002.492451984.0000000002701000.00000004.00000001.sdmp, a.exe, 00000007.00000002.286813086.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: a.exeString found in binary or memory: https://github.com/PraneethMadush
        Source: New Order 632487 PDF.exe, 00000000.00000002.283313795.00000000027A1000.00000004.00000001.sdmp, a.exe, 00000006.00000002.492451984.0000000002701000.00000004.00000001.sdmp, a.exe, 00000007.00000002.286813086.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
        Source: a.exe, 00000007.00000002.286813086.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
        Source: InstallUtil.exe, 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.493457156.0000000002921000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: a.exe PID: 7084, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORY
        Source: Yara matchFile source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.502105308.0000000005060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: a.exe PID: 7084, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: a.exe PID: 7084, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.InstallUtil.exe.5060000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.InstallUtil.exe.2956ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: New Order 632487 PDF.exe
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B52050 CreateProcessAsUserW,6_2_06B52050
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_025AF3780_2_025AF378
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_025AD1A00_2_025AD1A0
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_025A55880_2_025A5588
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_025A58690_2_025A5869
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_025ADC480_2_025ADC48
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_025AA7180_2_025AA718
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_025AA7090_2_025AA709
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_072126900_2_07212690
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_07210FB80_2_07210FB8
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_07212E800_2_07212E80
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_072199280_2_07219928
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_072139380_2_07213938
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_072126800_2_07212680
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_0721A4390_2_0721A439
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_0721A4480_2_0721A448
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_07210FB00_2_07210FB0
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_07213E200_2_07213E20
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_07212E6F0_2_07212E6F
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_07216AC00_2_07216AC0
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_072199180_2_07219918
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_001A27EA0_2_001A27EA
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_04C455986_2_04C45598
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_04C4D1A06_2_04C4D1A0
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_04C4F3786_2_04C4F378
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_04C4DC486_2_04C4DC48
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_04C458786_2_04C45878
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_04C4A7096_2_04C4A709
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_04C4A7186_2_04C4A718
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_04C475EA6_2_04C475EA
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_04C455886_2_04C45588
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_04C458696_2_04C45869
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F794786_2_05F79478
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F7E7986_2_05F7E798
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F726906_2_05F72690
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F7CCD86_2_05F7CCD8
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F7AFC86_2_05F7AFC8
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F70FB86_2_05F70FB8
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F7EEC86_2_05F7EEC8
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F72E806_2_05F72E80
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F73E206_2_05F73E20
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F7B9B06_2_05F7B9B0
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F794686_2_05F79468
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F7E7886_2_05F7E788
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F726806_2_05F72680
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F793E76_2_05F793E7
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F7AFBB6_2_05F7AFBB
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F70FA86_2_05F70FA8
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F7EEBB6_2_05F7EEBB
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F72E6F6_2_05F72E6F
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F73E1B6_2_05F73E1B
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F7B9A16_2_05F7B9A1
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F739386_2_05F73938
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F7AB696_2_05F7AB69
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_05F76AC06_2_05F76AC0
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B536C06_2_06B536C0
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B50DA06_2_06B50DA0
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B525686_2_06B52568
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B536B06_2_06B536B0
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B542906_2_06B54290
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B506886_2_06B50688
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B502106_2_06B50210
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B502016_2_06B50201
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B5067B6_2_06B5067B
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B50D906_2_06B50D90
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B519206_2_06B51920
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_02C7F3787_2_02C7F378
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_02C7D1A07_2_02C7D1A0
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_02C755987_2_02C75598
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_02C758787_2_02C75878
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_02C7DC487_2_02C7DC48
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_02C7A70A7_2_02C7A70A
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_02C7A7187_2_02C7A718
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_02C775EA7_2_02C775EA
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_02C755887_2_02C75588
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_02C758697_2_02C75869
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_008227EA7_2_008227EA
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_006A20B09_2_006A20B0
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_04E5E4809_2_04E5E480
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_04E5E4719_2_04E5E471
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_04E5BBD49_2_04E5BBD4
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_04F2F5F89_2_04F2F5F8
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_04F297889_2_04F29788
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_04F2A6109_2_04F2A610
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_007920B017_2_007920B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 17_2_050207C817_2_050207C8
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
        Source: New Order 632487 PDF.exe, 00000000.00000002.282502339.0000000002550000.00000002.00000001.sdmpBinary or memory string: originalfilename vs New Order 632487 PDF.exe
        Source: New Order 632487 PDF.exe, 00000000.00000002.282502339.0000000002550000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs New Order 632487 PDF.exe
        Source: New Order 632487 PDF.exe, 00000000.00000002.282331462.00000000024F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs New Order 632487 PDF.exe
        Source: New Order 632487 PDF.exe, 00000000.00000002.289903582.0000000005D60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs New Order 632487 PDF.exe
        Source: New Order 632487 PDF.exe, 00000000.00000002.290562806.0000000005F40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs New Order 632487 PDF.exe
        Source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.502105308.0000000005060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.502105308.0000000005060000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: a.exe PID: 7084, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: a.exe PID: 7084, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.InstallUtil.exe.5060000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.InstallUtil.exe.5060000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.InstallUtil.exe.2956ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.InstallUtil.exe.2956ad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: New Order 632487 PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: a.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@8/10@6/1
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnkJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_01
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{d2ce8aef-f90b-4d6a-b5b0-ecbe54404c6b}
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
        Source: New Order 632487 PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: New Order 632487 PDF.exeVirustotal: Detection: 42%
        Source: New Order 632487 PDF.exeMetadefender: Detection: 16%
        Source: New Order 632487 PDF.exeReversingLabs: Detection: 82%
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile read: C:\Users\user\Desktop\New Order 632487 PDF.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\New Order 632487 PDF.exe 'C:\Users\user\Desktop\New Order 632487 PDF.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: New Order 632487 PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: New Order 632487 PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
        Source: Binary string: ?\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.491442052.0000000000E43000.00000004.00000020.sdmp
        Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000003.302155078.0000000000E91000.00000004.00000001.sdmp, dhcpmon.exe, 00000011.00000000.321576559.0000000000792000.00000002.00020000.sdmp, dhcpmon.exe.9.dr
        Source: Binary string: orlib.pdb source: InstallUtil.exe, 00000009.00000002.491442052.0000000000E43000.00000004.00000020.sdmp
        Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, dhcpmon.exe.9.dr

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: New Order 632487 PDF.exe, Bd0/Li9.cs.Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: a.exe.0.dr, Bd0/Li9.cs.Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.New Order 632487 PDF.exe.1a0000.0.unpack, Bd0/Li9.cs.Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.New Order 632487 PDF.exe.1a0000.0.unpack, Bd0/Li9.cs.Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.a.exe.380000.0.unpack, Bd0/Li9.cs.Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.2.a.exe.380000.0.unpack, Bd0/Li9.cs.Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.a.exe.820000.0.unpack, Bd0/Li9.cs.Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.0.a.exe.820000.0.unpack, Bd0/Li9.cs.Net Code: c4X System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_001C738C push esi; iretd 0_2_001C738D
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_001C8E8C push esi; iretd 0_2_001C8E8F
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeCode function: 0_2_001C84D8 push ebx; ret 0_2_001C84D9
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_003A738C push esi; iretd 6_2_003A738D
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_003A8E8C push esi; iretd 6_2_003A8E8F
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_003A84D8 push ebx; ret 6_2_003A84D9
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 6_2_06B53628 push esp; retf 6_2_06B53629
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_0084738C push esi; iretd 7_2_0084738D
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_00848E8C push esi; iretd 7_2_00848E8F
        Source: C:\Users\user\AppData\Roaming\a.exeCode function: 7_2_008484D8 push ebx; ret 7_2_008484D9
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_04F269F8 pushad ; retf 9_2_04F269F9
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_04F26A00 push esp; retf 9_2_04F26A01
        Source: initial sampleStatic PE information: section name: .text entropy: 7.31108517286
        Source: initial sampleStatic PE information: section name: .text entropy: 7.31108517286
        Source: New Order 632487 PDF.exe, m0A/Nc7.csHigh entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
        Source: a.exe.0.dr, m0A/Nc7.csHigh entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
        Source: 0.0.New Order 632487 PDF.exe.1a0000.0.unpack, m0A/Nc7.csHigh entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
        Source: 0.2.New Order 632487 PDF.exe.1a0000.0.unpack, m0A/Nc7.csHigh entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
        Source: 6.0.a.exe.380000.0.unpack, m0A/Nc7.csHigh entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
        Source: 6.2.a.exe.380000.0.unpack, m0A/Nc7.csHigh entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
        Source: 7.2.a.exe.820000.0.unpack, m0A/Nc7.csHigh entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
        Source: 7.0.a.exe.820000.0.unpack, m0A/Nc7.csHigh entropy of concatenated method names: '.ctor', 'n6G', 'b9L', 'Fi9', '.cctor', 'z9C', 'd5W', 'Ng0', 'm0H', 's8N5'
        Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 9.2.InstallUtil.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile created: C:\Users\user\AppData\Roaming\a.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnkJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnkJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile opened: C:\Users\user\Desktop\New Order 632487 PDF.exe\:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeFile opened: C:\Users\user\AppData\Roaming\a.exe\:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_04F2C040 sgdt fword ptr [00000000h]9_2_04F2C040
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 5013Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 4565Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: foregroundWindowGot 637Jump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exe TID: 6652Thread sleep time: -2767011611056431s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exe TID: 6712Thread sleep count: 45 > 30Jump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exe TID: 6320Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exe TID: 6308Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exe TID: 5816Thread sleep count: 168 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exe TID: 5816Thread sleep time: -168000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exe TID: 5812Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exe TID: 6512Thread sleep count: 179 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exe TID: 6156Thread sleep count: 173 > 30Jump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exe TID: 6156Thread sleep time: -173000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exe TID: 5812Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exe TID: 6500Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exe TID: 6312Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 7124Thread sleep time: -10145709240540247s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2344Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Roaming\a.exeLast function: Thread delayed
        Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmpBinary or memory string: vmware svga
        Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: New Order 632487 PDF.exe, 00000000.00000002.290562806.0000000005F40000.00000004.00000001.sdmp, a.exe, 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
        Source: New Order 632487 PDF.exe, 00000000.00000002.290562806.0000000005F40000.00000004.00000001.sdmp, a.exe, 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
        Source: New Order 632487 PDF.exe, 00000000.00000002.290562806.0000000005F40000.00000004.00000001.sdmp, a.exe, 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmpBinary or memory string: vmusrvc
        Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmpBinary or memory string: vmsrvc
        Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmpBinary or memory string: vmtools
        Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
        Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
        Source: a.exe, 00000007.00000002.287183721.0000000003CC9000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
        Source: InstallUtil.exe, 00000009.00000002.491442052.0000000000E43000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\AppData\Roaming\a.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000Jump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 8EF008Jump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeProcess created: C:\Users\user\AppData\Roaming\a.exe 'C:\Users\user\AppData\Roaming\a.exe' Jump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
        Source: a.exe, 00000006.00000002.491787126.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.496290459.0000000002D1E000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: a.exe, 00000006.00000002.491787126.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.493051495.0000000001300000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: a.exe, 00000006.00000002.491787126.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.493051495.0000000001300000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: a.exe, 00000006.00000002.491787126.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000002.493051495.0000000001300000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: InstallUtil.exe, 00000009.00000002.503844740.00000000065BD000.00000004.00000010.sdmpBinary or memory string: Program Manager@2
        Source: InstallUtil.exe, 00000009.00000002.503923827.000000000697E000.00000004.00000001.sdmpBinary or memory string: Program Manager@
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeQueries volume information: C:\Users\user\Desktop\New Order 632487 PDF.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Users\user\AppData\Roaming\a.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\New Order 632487 PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.493457156.0000000002921000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: a.exe PID: 7084, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORY
        Source: Yara matchFile source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: New Order 632487 PDF.exe, 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: a.exe, 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: InstallUtil.exe, 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: InstallUtil.exe, 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.493457156.0000000002921000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6160, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: a.exe PID: 7084, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: New Order 632487 PDF.exe PID: 6284, type: MEMORY
        Source: Yara matchFile source: 9.2.InstallUtil.exe.5290000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41f97a8.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.37efe42.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.5294629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41614ba.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38ed8a0.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38ed8a0.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.3822a02.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.396ff4c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.5290000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.3709510.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41c6bfa.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38555b2.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41f97a8.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38bacf2.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.3822a02.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.412e90a.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.41614ba.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38bacf2.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.412e90a.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.38555b2.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.3974575.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.396ff4c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.New Order 632487 PDF.exe.40fbd4a.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.InstallUtil.exe.396b116.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.a.exe.37efe42.2.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1Windows Management InstrumentationStartup Items1Startup Items1Disable or Modify Tools1Input Capture11File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobValid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery12Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Registry Run Keys / Startup Folder2Access Token Manipulation1Obfuscated Files or Information3Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Process Injection312Software Packing13NTDSSecurity Software Discovery111Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder2Masquerading2LSA SecretsVirtualization/Sandbox Evasion4SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonValid Accounts1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion4Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection312/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        New Order 632487 PDF.exe43%VirustotalBrowse
        New Order 632487 PDF.exe22%MetadefenderBrowse
        New Order 632487 PDF.exe83%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
        New Order 632487 PDF.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\a.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
        C:\Users\user\AppData\Roaming\a.exe22%MetadefenderBrowse
        C:\Users\user\AppData\Roaming\a.exe83%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        9.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        9.2.InstallUtil.exe.5290000.10.unpack100%AviraTR/NanoCore.fadteDownload File

        Domains

        SourceDetectionScannerLabelLink
        forcesbots.ddns.net2%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://ns.adb0%Avira URL Cloudsafe
        http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
        http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
        http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
        http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
        http://ns.adobe.c/g0%URL Reputationsafe
        http://ns.adobe.c/g0%URL Reputationsafe
        http://ns.adobe.c/g0%URL Reputationsafe
        http://ns.adobe.c/g0%URL Reputationsafe
        http://ns.adobe.cobj0%URL Reputationsafe
        http://ns.adobe.cobj0%URL Reputationsafe
        http://ns.adobe.cobj0%URL Reputationsafe
        http://ns.adobe.cobj0%URL Reputationsafe
        http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
        http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
        http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
        http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
        forcesbots.ddns.net2%VirustotalBrowse
        forcesbots.ddns.net0%Avira URL Cloudsafe
        http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
        http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
        http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
        http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
        http://ns.ado/10%URL Reputationsafe
        http://ns.ado/10%URL Reputationsafe
        http://ns.ado/10%URL Reputationsafe
        http://ns.ado/10%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        forcesbots.ddns.net
        		193.218.118.85
        		truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        forcesbots.ddns.nettrue
        • 2%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://ns.adbNew Order 632487 PDF.exe, 00000000.00000003.224354770.0000000008982000.00000004.00000001.sdmp, a.exe, 00000006.00000003.266327505.0000000008A72000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://pki.goog/gsr2/GTS1O1.crt0a.exe, 00000007.00000002.286882790.0000000002CEE000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://ns.adobe.c/gNew Order 632487 PDF.exe, 00000000.00000003.232281575.0000000008982000.00000004.00000001.sdmp, New Order 632487 PDF.exe, 00000000.00000003.279683656.0000000008989000.00000004.00000001.sdmp, a.exe, 00000006.00000003.269005618.0000000008A72000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        http://ns.adobe.cobjNew Order 632487 PDF.exe, 00000000.00000003.232281575.0000000008982000.00000004.00000001.sdmp, New Order 632487 PDF.exe, 00000000.00000003.279683656.0000000008989000.00000004.00000001.sdmp, a.exe, 00000006.00000003.269005618.0000000008A72000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        		unknown
        https://github.com/PraneethMadusha.exefalse
          		high
          http://ocsp.pki.goog/gts1o1core0a.exe, 00000007.00000002.286882790.0000000002CEE000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNew Order 632487 PDF.exe, 00000000.00000002.283313795.00000000027A1000.00000004.00000001.sdmp, a.exe, 00000006.00000002.492451984.0000000002701000.00000004.00000001.sdmp, a.exe, 00000007.00000002.286813086.0000000002CC1000.00000004.00000001.sdmpfalse
            		high
            http://schema.org/WebPageNew Order 632487 PDF.exe, 00000000.00000002.283382208.00000000027CD000.00000004.00000001.sdmp, a.exe, 00000006.00000002.492633026.000000000272D000.00000004.00000001.sdmp, a.exe, 00000006.00000002.492720693.0000000002743000.00000004.00000001.sdmp, a.exe, 00000007.00000002.286925043.0000000002D04000.00000004.00000001.sdmp, a.exe, 00000007.00000002.286882790.0000000002CEE000.00000004.00000001.sdmpfalse
              		high
              http://crl.pki.goog/GTS1O1core.crl0a.exe, 00000007.00000002.286882790.0000000002CEE000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://ns.ado/1New Order 632487 PDF.exe, 00000000.00000003.232281575.0000000008982000.00000004.00000001.sdmp, New Order 632487 PDF.exe, 00000000.00000003.279683656.0000000008989000.00000004.00000001.sdmp, a.exe, 00000006.00000003.269005618.0000000008A72000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              193.218.118.85
              		unknownUkraine
              		207656EPINATURAUAtrue

              General Information

              Joe Sandbox Version:31.0.0 Emerald
              Analysis ID:357128
              Start date:24.02.2021
              Start time:08:26:02
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 12m 44s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:New Order 632487 PDF.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:29
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@8/10@6/1
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 0.9% (good quality ratio 0.6%)
              • Quality average: 39.7%
              • Quality standard deviation: 34.5%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 98
              • Number of non-executed functions: 8
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 51.104.144.132, 204.79.197.200, 13.107.21.200, 93.184.220.29, 92.122.145.220, 104.42.151.234, 142.250.185.164, 13.64.90.137, 13.88.21.125, 168.61.161.212, 52.147.198.201, 23.218.208.56, 52.255.188.83, 8.248.147.254, 8.253.207.121, 67.26.83.254, 8.248.119.254, 8.253.207.120, 92.122.213.247, 92.122.213.194, 20.54.26.129
              • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, www.google.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              08:27:09AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk
              08:27:26API Interceptor1x Sleep call for process: New Order 632487 PDF.exe modified
              08:27:28API Interceptor1x Sleep call for process: a.exe modified
              08:27:37AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              193.218.118.85docs-034.exeGet hashmaliciousBrowse
                p9W7XrJg7B.exeGet hashmaliciousBrowse
                  wqxfQkYM.exeGet hashmaliciousBrowse
                    Y2EnkSyG.exeGet hashmaliciousBrowse
                      068vjTbZ.exeGet hashmaliciousBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        forcesbots.ddns.netNew Order 863127 PDF.exeGet hashmaliciousBrowse
                        • 197.210.84.206

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        EPINATURAUAdocs-034.exeGet hashmaliciousBrowse
                        • 193.218.118.85
                        hse8DRMQnI.exeGet hashmaliciousBrowse
                        • 193.218.118.125
                        FickerStealer.exeGet hashmaliciousBrowse
                        • 193.218.118.167
                        p9W7XrJg7B.exeGet hashmaliciousBrowse
                        • 193.218.118.85
                        wqxfQkYM.exeGet hashmaliciousBrowse
                        • 193.218.118.85
                        Y2EnkSyG.exeGet hashmaliciousBrowse
                        • 193.218.118.85
                        068vjTbZ.exeGet hashmaliciousBrowse
                        • 193.218.118.85
                        docs090.exeGet hashmaliciousBrowse
                        • 193.218.118.190
                        belgelervk.exeGet hashmaliciousBrowse
                        • 193.218.118.190
                        docs-06.exeGet hashmaliciousBrowse
                        • 193.218.118.190
                        docs094.exeGet hashmaliciousBrowse
                        • 193.218.118.190
                        q7Q5SdJy.exeGet hashmaliciousBrowse
                        • 193.218.118.190

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeHTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                          HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                            REQUEST FOR OFFER.exeGet hashmaliciousBrowse
                              New Order.exeGet hashmaliciousBrowse
                                v2.exeGet hashmaliciousBrowse
                                  MPO-003234.exeGet hashmaliciousBrowse
                                    Payment copy.exeGet hashmaliciousBrowse
                                      New Order.exeGet hashmaliciousBrowse
                                        YKRAB010B_KHE_Preminary Packing List.xlsx.exeGet hashmaliciousBrowse
                                          RTM DIAS - CTM.exeGet hashmaliciousBrowse
                                            SecuriteInfo.com.Artemis249E62CF9BAE.exeGet hashmaliciousBrowse
                                              SecuriteInfo.com.Trojan.Packed2.42841.18110.exeGet hashmaliciousBrowse
                                                DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exeGet hashmaliciousBrowse
                                                  index_2021-02-18-20_41.exeGet hashmaliciousBrowse
                                                    XXXXXXXXXXXXXX.exeGet hashmaliciousBrowse
                                                      IMG_144907.exeGet hashmaliciousBrowse
                                                        VIIIIIIIIIIIIIC.exeGet hashmaliciousBrowse
                                                          lQN1zlLSGa.exeGet hashmaliciousBrowse
                                                            Sorted Properties.exeGet hashmaliciousBrowse
                                                              DB_DHL_AWB_00117390021_AD03990399003920032.exeGet hashmaliciousBrowse
                                                                C:\Users\user\AppData\Local\Temp\InstallUtil.exeHTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                                                  HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exeGet hashmaliciousBrowse
                                                                    REQUEST FOR OFFER.exeGet hashmaliciousBrowse
                                                                      New Order.exeGet hashmaliciousBrowse
                                                                        v2.exeGet hashmaliciousBrowse
                                                                          MPO-003234.exeGet hashmaliciousBrowse
                                                                            Payment copy.exeGet hashmaliciousBrowse
                                                                              New Order.exeGet hashmaliciousBrowse
                                                                                YKRAB010B_KHE_Preminary Packing List.xlsx.exeGet hashmaliciousBrowse
                                                                                  RTM DIAS - CTM.exeGet hashmaliciousBrowse
                                                                                    SecuriteInfo.com.Artemis249E62CF9BAE.exeGet hashmaliciousBrowse
                                                                                      SecuriteInfo.com.Trojan.Packed2.42841.18110.exeGet hashmaliciousBrowse
                                                                                        DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exeGet hashmaliciousBrowse
                                                                                          index_2021-02-18-20_41.exeGet hashmaliciousBrowse
                                                                                            XXXXXXXXXXXXXX.exeGet hashmaliciousBrowse
                                                                                              IMG_144907.exeGet hashmaliciousBrowse
                                                                                                VIIIIIIIIIIIIIC.exeGet hashmaliciousBrowse
                                                                                                  lQN1zlLSGa.exeGet hashmaliciousBrowse
                                                                                                    Sorted Properties.exeGet hashmaliciousBrowse
                                                                                                      DB_DHL_AWB_00117390021_AD03990399003920032.exeGet hashmaliciousBrowse

                                                                                                        Created / dropped Files

                                                                                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                        Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):41064
                                                                                                        Entropy (8bit):6.164873449128079
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                                        MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                        SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                                        SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                                        SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                                        Malicious:false
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        Joe Sandbox View:
                                                                                                        • Filename: HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe, Detection: malicious, Browse
                                                                                                        • Filename: HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe, Detection: malicious, Browse
                                                                                                        • Filename: REQUEST FOR OFFER.exe, Detection: malicious, Browse
                                                                                                        • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                        • Filename: v2.exe, Detection: malicious, Browse
                                                                                                        • Filename: MPO-003234.exe, Detection: malicious, Browse
                                                                                                        • Filename: Payment copy.exe, Detection: malicious, Browse
                                                                                                        • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                        • Filename: YKRAB010B_KHE_Preminary Packing List.xlsx.exe, Detection: malicious, Browse
                                                                                                        • Filename: RTM DIAS - CTM.exe, Detection: malicious, Browse
                                                                                                        • Filename: SecuriteInfo.com.Artemis249E62CF9BAE.exe, Detection: malicious, Browse
                                                                                                        • Filename: SecuriteInfo.com.Trojan.Packed2.42841.18110.exe, Detection: malicious, Browse
                                                                                                        • Filename: DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe, Detection: malicious, Browse
                                                                                                        • Filename: index_2021-02-18-20_41.exe, Detection: malicious, Browse
                                                                                                        • Filename: XXXXXXXXXXXXXX.exe, Detection: malicious, Browse
                                                                                                        • Filename: IMG_144907.exe, Detection: malicious, Browse
                                                                                                        • Filename: VIIIIIIIIIIIIIC.exe, Detection: malicious, Browse
                                                                                                        • Filename: lQN1zlLSGa.exe, Detection: malicious, Browse
                                                                                                        • Filename: Sorted Properties.exe, Detection: malicious, Browse
                                                                                                        • Filename: DB_DHL_AWB_00117390021_AD03990399003920032.exe, Detection: malicious, Browse
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order 632487 PDF.exe.log
                                                                                                        Process:C:\Users\user\Desktop\New Order 632487 PDF.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:modified
                                                                                                        Size (bytes):1128
                                                                                                        Entropy (8bit):5.3642098150017015
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHH
                                                                                                        MD5:F559E0C1EE1946CCFCDFC8B1AAF4790D
                                                                                                        SHA1:C64B80AF0CFE0C5116442D76D3B14FE76200492C
                                                                                                        SHA-256:CCB1CB8024F68A95F371EAF0DC9AACC53CFB4793B3201E3A288329CB22D58E48
                                                                                                        SHA-512:5A70156D95C609AFCCAF48EA552E45F9AC2F6A5C46F965D9E21CFBCB87F9D716A35B59B7FE0AC39D67DFCBD1E6CA75A1B6494A10150DAD86FD2BF9F66CACA904
                                                                                                        Malicious:true
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a.exe.log
                                                                                                        Process:C:\Users\user\AppData\Roaming\a.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1128
                                                                                                        Entropy (8bit):5.3642098150017015
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHH
                                                                                                        MD5:F559E0C1EE1946CCFCDFC8B1AAF4790D
                                                                                                        SHA1:C64B80AF0CFE0C5116442D76D3B14FE76200492C
                                                                                                        SHA-256:CCB1CB8024F68A95F371EAF0DC9AACC53CFB4793B3201E3A288329CB22D58E48
                                                                                                        SHA-512:5A70156D95C609AFCCAF48EA552E45F9AC2F6A5C46F965D9E21CFBCB87F9D716A35B59B7FE0AC39D67DFCBD1E6CA75A1B6494A10150DAD86FD2BF9F66CACA904
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:modified
                                                                                                        Size (bytes):950
                                                                                                        Entropy (8bit):5.350971482944737
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:MLiKNE4qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MeIH2HKXwYHKhQnoPtHoxHhAHKzva
                                                                                                        MD5:CEE81B7EB08EE82CFE49E47B81B50D1A
                                                                                                        SHA1:4746C7068BD50E3309BFFDBE8983B8F27D834DFD
                                                                                                        SHA-256:B9A90255691E7C9D3CCBD27D00FC514DDD6087446D8DB03335CEF1B5634CC460
                                                                                                        SHA-512:AF5865439412974FCB6B11E22CFFF1ACA0BEBF83CF398D6056CEEF93720AF0FBCB579858C39E6AA0D989680F2180F2CA181D7D12887604B420D0E1976B8AEA77
                                                                                                        Malicious:false
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..
                                                                                                        C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                        Process:C:\Users\user\Desktop\New Order 632487 PDF.exe
                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):41064
                                                                                                        Entropy (8bit):6.164873449128079
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                                                                        MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                        SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                                                                        SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                                                                        SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                        Joe Sandbox View:
                                                                                                        • Filename: HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe, Detection: malicious, Browse
                                                                                                        • Filename: HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe, Detection: malicious, Browse
                                                                                                        • Filename: REQUEST FOR OFFER.exe, Detection: malicious, Browse
                                                                                                        • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                        • Filename: v2.exe, Detection: malicious, Browse
                                                                                                        • Filename: MPO-003234.exe, Detection: malicious, Browse
                                                                                                        • Filename: Payment copy.exe, Detection: malicious, Browse
                                                                                                        • Filename: New Order.exe, Detection: malicious, Browse
                                                                                                        • Filename: YKRAB010B_KHE_Preminary Packing List.xlsx.exe, Detection: malicious, Browse
                                                                                                        • Filename: RTM DIAS - CTM.exe, Detection: malicious, Browse
                                                                                                        • Filename: SecuriteInfo.com.Artemis249E62CF9BAE.exe, Detection: malicious, Browse
                                                                                                        • Filename: SecuriteInfo.com.Trojan.Packed2.42841.18110.exe, Detection: malicious, Browse
                                                                                                        • Filename: DETALLE DE TRANSFERENCIA BANCO AGRARO DE COLOMBIA.exe, Detection: malicious, Browse
                                                                                                        • Filename: index_2021-02-18-20_41.exe, Detection: malicious, Browse
                                                                                                        • Filename: XXXXXXXXXXXXXX.exe, Detection: malicious, Browse
                                                                                                        • Filename: IMG_144907.exe, Detection: malicious, Browse
                                                                                                        • Filename: VIIIIIIIIIIIIIC.exe, Detection: malicious, Browse
                                                                                                        • Filename: lQN1zlLSGa.exe, Detection: malicious, Browse
                                                                                                        • Filename: Sorted Properties.exe, Detection: malicious, Browse
                                                                                                        • Filename: DB_DHL_AWB_00117390021_AD03990399003920032.exe, Detection: malicious, Browse
                                                                                                        Reputation:moderate, very likely benign file
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                                                        Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):8
                                                                                                        Entropy (8bit):2.75
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:79P:5P
                                                                                                        MD5:C7477DA9F3F97638516A2477F2CC2B8B
                                                                                                        SHA1:9768234F199909AC29AAC801D149DA06E9076F69
                                                                                                        SHA-256:DF7A7D39217AD8CF412C8DF9A4D8CC0B18648CBE482BCEACE96A551C232E696E
                                                                                                        SHA-512:40E891484BABD402200F9F185B4C6A762A67916FBD5076E3BBC3DC8A68BF6EAF775561477307D4714E228DF4A5805F637EA2F7B5465CCBDCD26839538B272A8B
                                                                                                        Malicious:true
                                                                                                        Preview: k......H
                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk
                                                                                                        Process:C:\Users\user\Desktop\New Order 632487 PDF.exe
                                                                                                        File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                                                        Category:dropped
                                                                                                        Size (bytes):854
                                                                                                        Entropy (8bit):3.03156476699929
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:8wl0RsXou41w/tz0/CSLmz3qMJkHgTCNfBT/v4t2Y+xIBjK:8if4eWL0t+Vpd7aB
                                                                                                        MD5:C43C60D569FA0C256C556082126497D4
                                                                                                        SHA1:A3206A53ECCC894E6F1F7037ECB395A91EDEFF54
                                                                                                        SHA-256:E9F08DB61FE3C57BF38D637B3601487358AE827DC032B03F37CDA9F8551AF7F6
                                                                                                        SHA-512:96C92F6EE08F1578E06231B9024DEF96BD55A14190CFA824DA4A408E62B94BF6D408C73657886993302CE902C3D3C264C386B1C6D27F682B290B0E21567B7DE8
                                                                                                        Malicious:false
                                                                                                        Preview: L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................h.a.r.d.z.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....P.2...........a.exe.<............................................a...e.x.e.............\.....\.....\.....\.....\.a...e.x.e.$.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.a...e.x.e.............y.............>.e.L.:..er.=y...............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................
                                                                                                        C:\Users\user\AppData\Roaming\a.exe
                                                                                                        Process:C:\Users\user\Desktop\New Order 632487 PDF.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):830976
                                                                                                        Entropy (8bit):7.301089079716191
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:0hGT/f7DSvWN1JuigLYVlaf+dhKeVnVBAzzP3V7B+AciC8+WrWwYgI7:/zHSvi7AYaf+dk+gzDF7Btd6fgI7
                                                                                                        MD5:6BB37FBE7FF7B15C6B20A788BA9D46FF
                                                                                                        SHA1:E0F33AF458168BCCF87FA98638192626C1053CCF
                                                                                                        SHA-256:2A65DA255EB2EE6CE3C4F2A9CE64E9A48491325BB44BD0FDA7C95B6A5DB64A41
                                                                                                        SHA-512:FFEFE12D0822DA046A06343D51DD6AE9E005E506916EC02A237E411ECD1DC7CC4A76DBC61AC1CC4F063BC9CBEB1FB54B823C73EE0049B2ADE49B4333EC2D8605
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 22%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 83%
                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H^.........."...P.................. ........@.. ....................... ............`.................................l...O.......Z............................................................................ ............... ..H............text....... ...................... ..`.rsrc...Z...........................@..@.reloc..............................@..B........................H........U...k......H....|................................................(....*&..(.....*.s.........s ........s!........s"........s#........*Z........o6...........*&..(7....*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*...{......,.+.....,.rq..ps<...z..|....(...+*...{......,.+.....,.rq..ps<...z..|....(...+*...{......,.+.....,.rq..ps<...z..|....(...+*&........*".......*Vs)...(B...t.........*..(C...*6.(D....(....*&.{....+.*"..}....*&.{....+.*
                                                                                                        C:\Users\user\AppData\Roaming\a.exe:Zone.Identifier
                                                                                                        Process:C:\Users\user\Desktop\New Order 632487 PDF.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):26
                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                        Malicious:true
                                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                                        \Device\ConDrv
                                                                                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):2017
                                                                                                        Entropy (8bit):4.663189584482275
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:48:zK4Qu4D4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKJDEcTytNe3Wo3uQVBIe+5
                                                                                                        MD5:9C305D95E7DA8FCA9651F7F426BB25BC
                                                                                                        SHA1:FDB5C18C26CF5B83EF5DC297C0F9CEBEF6A97FFC
                                                                                                        SHA-256:444F71CF504D22F0EE88024D61501D3B79AE5D1AFD521E72499F325F6B0B82BE
                                                                                                        SHA-512:F2829518AE0F6DD35C1DE1175FC8BE3E52EDCAFAD0B2455AC593F5E5D4BD480B014F52C3AE24E742B914685513BE5DF862373E75C45BB7908C775D7E2E404DB3
                                                                                                        Malicious:false
                                                                                                        Preview: Microsoft (R) .NET Framework Installation utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Entropy (8bit):7.301089079716191
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                        File name:New Order 632487 PDF.exe
                                                                                                        File size:830976
                                                                                                        MD5:6bb37fbe7ff7b15c6b20a788ba9d46ff
                                                                                                        SHA1:e0f33af458168bccf87fa98638192626c1053ccf
                                                                                                        SHA256:2a65da255eb2ee6ce3c4f2a9ce64e9a48491325bb44bd0fda7c95b6a5db64a41
                                                                                                        SHA512:ffefe12d0822da046a06343d51dd6ae9e005e506916ec02a237e411ecd1dc7cc4a76dbc61ac1cc4f063bc9cbeb1fb54b823c73ee0049b2ade49b4333ec2d8605
                                                                                                        SSDEEP:12288:0hGT/f7DSvWN1JuigLYVlaf+dhKeVnVBAzzP3V7B+AciC8+WrWwYgI7:/zHSvi7AYaf+dk+gzDF7Btd6fgI7
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....H^.........."...P.................. ........@.. ....................... ............`................................

                                                                                                        File Icon

                                                                                                        Icon Hash:00828e8e8686b000

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x4cc1be
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                        Time Stamp:0x5E48BFF2 [Sun Feb 16 04:07:14 2020 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                                        OS Version Major:4
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:4
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:4
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        jmp dword ptr [00402000h]
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xcc16c0x4f.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xce0000x65a.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xc.reloc
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x20000xca1c40xca200False0.795109094774data7.31108517286IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                        .rsrc0xce0000x65a0x800False0.3623046875data3.75438294081IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .reloc0xd00000xc0x200False0.044921875data0.0940979256627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                        RT_VERSION0xce0a00x3d0data
                                                                                                        RT_MANIFEST0xce4700x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        mscoree.dll_CorExeMain

                                                                                                        Version Infos

                                                                                                        DescriptionData
                                                                                                        Translation0x0000 0x04b0
                                                                                                        LegalCopyrightCopyright 2002 :5G3:@;<;EHBGF;9?II
                                                                                                        Assembly Version1.0.0.0
                                                                                                        InternalNameNew Order 632487 PDF.exe
                                                                                                        FileVersion4.7.9.11
                                                                                                        CompanyName:5G3:@;<;EHBGF;9?II
                                                                                                        CommentsFJ385I9C<H23HAAI2C
                                                                                                        ProductName24233HDH389D=D97H<I44?<
                                                                                                        ProductVersion4.7.9.11
                                                                                                        FileDescription24233HDH389D=D97H<I44?<
                                                                                                        OriginalFilenameNew Order 632487 PDF.exe

                                                                                                        Network Behavior

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Feb 24, 2021 08:27:38.506474972 CET497247767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:27:41.621108055 CET497247767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:27:47.621624947 CET497247767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:27:56.288351059 CET497287767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:27:59.294507027 CET497287767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:28:05.310722113 CET497287767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:28:13.285882950 CET497297767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:28:16.295875072 CET497297767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:28:22.296358109 CET497297767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:28:29.953555107 CET497417767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:28:32.953835011 CET497417767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:28:38.954144955 CET497417767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:28:46.618545055 CET497427767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:28:49.751879930 CET497427767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:28:55.752271891 CET497427767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:29:03.317387104 CET497467767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:29:06.331403971 CET497467767192.168.2.3193.218.118.85
                                                                                                        Feb 24, 2021 08:29:12.331844091 CET497467767192.168.2.3193.218.118.85

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Feb 24, 2021 08:26:51.813945055 CET5677753192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:26:51.819036007 CET5864353192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:26:51.862639904 CET53567778.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:26:51.867713928 CET53586438.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:26:51.984157085 CET6098553192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:26:52.033083916 CET53609858.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:26:56.214761019 CET5020053192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:26:56.277456999 CET53502008.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:26:59.755116940 CET5128153192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:26:59.806962013 CET53512818.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:26:59.839361906 CET4919953192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:26:59.890907049 CET53491998.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:01.059406042 CET5062053192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:01.108555079 CET53506208.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:02.359008074 CET6493853192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:02.410617113 CET53649388.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:03.711429119 CET6015253192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:03.763259888 CET53601528.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:05.294286966 CET5754453192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:05.343498945 CET53575448.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:06.518959999 CET5598453192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:06.570784092 CET53559848.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:07.732810020 CET6418553192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:07.792707920 CET53641858.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:08.907334089 CET6511053192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:08.959305048 CET53651108.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:10.486464977 CET5836153192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:10.535645008 CET53583618.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:11.738147974 CET6349253192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:11.787111044 CET53634928.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:12.904726028 CET6083153192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:12.953589916 CET53608318.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:14.945636988 CET6010053192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:14.994864941 CET53601008.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:16.199708939 CET6010053192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:16.248699903 CET53601008.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:18.545169115 CET5319553192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:18.594221115 CET53531958.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:19.186659098 CET5014153192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:19.245006084 CET53501418.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:19.503521919 CET5302353192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:19.552885056 CET53530238.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:20.226172924 CET4956353192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:20.290333986 CET53495638.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:20.747888088 CET5135253192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:20.799860001 CET53513528.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:21.737982035 CET5934953192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:21.786956072 CET53593498.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:22.680237055 CET5708453192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:22.730372906 CET53570848.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:23.680464983 CET5882353192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:23.729445934 CET53588238.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:24.589320898 CET5756853192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:24.638376951 CET53575688.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:27.690359116 CET5054053192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:27.739727974 CET53505408.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:38.429212093 CET5436653192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:38.489042997 CET53543668.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:38.703165054 CET5303453192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:38.752595901 CET53530348.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:47.147347927 CET5776253192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:47.199500084 CET53577628.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:27:56.225450039 CET5543553192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:27:56.286724091 CET53554358.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:28:13.220204115 CET5071353192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:28:13.272465944 CET53507138.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:28:17.693212032 CET5613253192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:28:17.745332956 CET53561328.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:28:28.852796078 CET5898753192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:28:28.914611101 CET53589878.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:28:29.890443087 CET5657953192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:28:29.952094078 CET53565798.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:28:46.555999041 CET6063353192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:28:46.616513014 CET53606338.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:28:49.896667004 CET6129253192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:28:49.954571009 CET53612928.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:28:55.829619884 CET6361953192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:28:55.878711939 CET53636198.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:28:57.710882902 CET6493853192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:28:57.773530960 CET53649388.8.8.8192.168.2.3
                                                                                                        Feb 24, 2021 08:29:03.257323980 CET6194653192.168.2.38.8.8.8
                                                                                                        Feb 24, 2021 08:29:03.316689014 CET53619468.8.8.8192.168.2.3

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                        Feb 24, 2021 08:27:38.429212093 CET192.168.2.38.8.8.80xa07bStandard query (0)forcesbots.ddns.netA (IP address)IN (0x0001)
                                                                                                        Feb 24, 2021 08:27:56.225450039 CET192.168.2.38.8.8.80xbcc1Standard query (0)forcesbots.ddns.netA (IP address)IN (0x0001)
                                                                                                        Feb 24, 2021 08:28:13.220204115 CET192.168.2.38.8.8.80xd233Standard query (0)forcesbots.ddns.netA (IP address)IN (0x0001)
                                                                                                        Feb 24, 2021 08:28:29.890443087 CET192.168.2.38.8.8.80xcfb3Standard query (0)forcesbots.ddns.netA (IP address)IN (0x0001)
                                                                                                        Feb 24, 2021 08:28:46.555999041 CET192.168.2.38.8.8.80x3bf9Standard query (0)forcesbots.ddns.netA (IP address)IN (0x0001)
                                                                                                        Feb 24, 2021 08:29:03.257323980 CET192.168.2.38.8.8.80x2158Standard query (0)forcesbots.ddns.netA (IP address)IN (0x0001)

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                        Feb 24, 2021 08:27:38.489042997 CET8.8.8.8192.168.2.30xa07bNo error (0)forcesbots.ddns.net193.218.118.85A (IP address)IN (0x0001)
                                                                                                        Feb 24, 2021 08:27:56.286724091 CET8.8.8.8192.168.2.30xbcc1No error (0)forcesbots.ddns.net193.218.118.85A (IP address)IN (0x0001)
                                                                                                        Feb 24, 2021 08:28:13.272465944 CET8.8.8.8192.168.2.30xd233No error (0)forcesbots.ddns.net193.218.118.85A (IP address)IN (0x0001)
                                                                                                        Feb 24, 2021 08:28:29.952094078 CET8.8.8.8192.168.2.30xcfb3No error (0)forcesbots.ddns.net193.218.118.85A (IP address)IN (0x0001)
                                                                                                        Feb 24, 2021 08:28:46.616513014 CET8.8.8.8192.168.2.30x3bf9No error (0)forcesbots.ddns.net193.218.118.85A (IP address)IN (0x0001)
                                                                                                        Feb 24, 2021 08:29:03.316689014 CET8.8.8.8192.168.2.30x2158No error (0)forcesbots.ddns.net193.218.118.85A (IP address)IN (0x0001)

                                                                                                        Code Manipulations

                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        Analysis Process: New Order 632487 PDF.exe PID: 6284 Parent PID: 5600

                                                                                                        General

                                                                                                        Start time:08:26:58
                                                                                                        Start date:24/02/2021
                                                                                                        Path:C:\Users\user\Desktop\New Order 632487 PDF.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'C:\Users\user\Desktop\New Order 632487 PDF.exe'
                                                                                                        Imagebase:0x1a0000
                                                                                                        File size:830976 bytes
                                                                                                        MD5 hash:6BB37FBE7FF7B15C6B20A788BA9D46FF
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.285863508.00000000040C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.286576608.00000000041C6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        Reputation:low

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: a.exe PID: 7084 Parent PID: 3388

                                                                                                        General

                                                                                                        Start time:08:27:17
                                                                                                        Start date:24/02/2021
                                                                                                        Path:C:\Users\user\AppData\Roaming\a.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'C:\Users\user\AppData\Roaming\a.exe'
                                                                                                        Imagebase:0x380000
                                                                                                        File size:830976 bytes
                                                                                                        MD5 hash:6BB37FBE7FF7B15C6B20A788BA9D46FF
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.500185390.0000000003705000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.500785518.00000000038BA000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.500410926.00000000037BD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 22%, Metadefender, Browse
                                                                                                        • Detection: 83%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: a.exe PID: 6132 Parent PID: 6284

                                                                                                        General

                                                                                                        Start time:08:27:25
                                                                                                        Start date:24/02/2021
                                                                                                        Path:C:\Users\user\AppData\Roaming\a.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'C:\Users\user\AppData\Roaming\a.exe'
                                                                                                        Imagebase:0x820000
                                                                                                        File size:830976 bytes
                                                                                                        MD5 hash:6BB37FBE7FF7B15C6B20A788BA9D46FF
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Reputation:low

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: InstallUtil.exe PID: 6160 Parent PID: 7084

                                                                                                        General

                                                                                                        Start time:08:27:28
                                                                                                        Start date:24/02/2021
                                                                                                        Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                                        Imagebase:0x6a0000
                                                                                                        File size:41064 bytes
                                                                                                        MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.499062665.0000000003969000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.487651546.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.502699733.0000000005290000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.502105308.0000000005060000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.502105308.0000000005060000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.493457156.0000000002921000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 0%, Metadefender, Browse
                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                        Reputation:moderate

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: dhcpmon.exe PID: 5440 Parent PID: 3388

                                                                                                        General

                                                                                                        Start time:08:27:45
                                                                                                        Start date:24/02/2021
                                                                                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                                                        Imagebase:0x790000
                                                                                                        File size:41064 bytes
                                                                                                        MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 0%, Metadefender, Browse
                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                        Reputation:moderate

                                                                                                        Chronological Activities

                                                                                                        Analysis Process: conhost.exe PID: 6340 Parent PID: 5440

                                                                                                        General

                                                                                                        Start time:08:27:46
                                                                                                        Start date:24/02/2021
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                        File size:625664 bytes
                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high

                                                                                                        Chronological Activities

                                                                                                        Disassembly

                                                                                                        Code Analysis

                                                                                                        Reset < >

                                                                                                          Analysis Process: New Order 632487 PDF.exe PID: 6284 Parent PID: 5600 New Order 632487 PDF.exeCOMMON

                                                                                                          Executed Functions

                                                                                                          Function 07210FB8, Relevance: 6.0, Strings: 4, Instructions: 974COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: ($<$ntin$ntin
                                                                                                          • API String ID: 0-2884023141
                                                                                                          • Opcode ID: 99ed3aa02e0fb526f203a722d3a3d5b67fc523075a13aba28f9a3f86a62669c2
                                                                                                          • Instruction ID: 2232f23f83cce4aafef7556f47f79ab064747174ae5d6d815b6366cea67f6872
                                                                                                          • Opcode Fuzzy Hash: 99ed3aa02e0fb526f203a722d3a3d5b67fc523075a13aba28f9a3f86a62669c2
                                                                                                          • Instruction Fuzzy Hash: E9A2C4B4E102198FDB24CF99C981BDDB7F6BF89304F24C1A9D508AB255D734AA81CF61
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07210FB0, Relevance: 4.1, Strings: 3, Instructions: 304COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: <$ntin$ntin
                                                                                                          • API String ID: 0-1029651476
                                                                                                          • Opcode ID: a495ce1cb4cffb07163aa5de5eaf3838e9da561272b601f8cd4f8d1567eea15c
                                                                                                          • Instruction ID: 0adafd4afc69122a12811fe571a78e7c28e59e77a14d8151d4d141b212a7fad2
                                                                                                          • Opcode Fuzzy Hash: a495ce1cb4cffb07163aa5de5eaf3838e9da561272b601f8cd4f8d1567eea15c
                                                                                                          • Instruction Fuzzy Hash: D6E194B5E006198FDB18CFAAC981ADEFBF2BF89300F14C1A9D508AB365DB3459418F55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 025AD1A0, Relevance: 3.1, Strings: 2, Instructions: 645COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.282974582.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: <$@
                                                                                                          • API String ID: 0-1426351568
                                                                                                          • Opcode ID: 16dff9bb13939747429c8b235b6910189a88e6d866146549b1f30bb5971ec5e6
                                                                                                          • Instruction ID: 83afe2c671097eb45781c35e40340f2b5b20db433aaccda9fad11343365ec59f
                                                                                                          • Opcode Fuzzy Hash: 16dff9bb13939747429c8b235b6910189a88e6d866146549b1f30bb5971ec5e6
                                                                                                          • Instruction Fuzzy Hash: A862CCB4A01259CFEB64DFA9C985B8DFBF2BF48304F15C1A9D408AB611D730A981CF59
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 025AF378, Relevance: .5, Instructions: 506COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.282974582.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d4f564f273a20de32d07399bb183626dbe442033fceabc78f60a0267b845cf29
                                                                                                          • Instruction ID: fd9cf99802c55b92cc21f92fe14499a35939d5e3ad4e6ad95a76011880e7c955
                                                                                                          • Opcode Fuzzy Hash: d4f564f273a20de32d07399bb183626dbe442033fceabc78f60a0267b845cf29
                                                                                                          • Instruction Fuzzy Hash: EC427B74E01229CFDB24CFA9D994B9DBBB2FB88310F1481A9D809A7355D735AE81CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 025ADC48, Relevance: .5, Instructions: 501COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.282974582.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 644ac898b8788ae928b0ec7714317327b84ad3e258c38cd76a1005132cfed58e
                                                                                                          • Instruction ID: 557b08e08f95b97a916795694f1ff8df4f30b423e80356ef22fe469ff56dbc07
                                                                                                          • Opcode Fuzzy Hash: 644ac898b8788ae928b0ec7714317327b84ad3e258c38cd76a1005132cfed58e
                                                                                                          • Instruction Fuzzy Hash: E232E270901259CFEB64DFA9C985A8EFBF2BF49305F55C5A5C408AB211CB30D981CFA9
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07212690, Relevance: .5, Instructions: 451COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f1fe00bcceb8afe57bfa8cf66662ac15a3317707e0f09e11c59b0b34a350e1c4
                                                                                                          • Instruction ID: 064ea65191972d6f88866a475abf4f5340756a6964c7105534e64c42860f91ee
                                                                                                          • Opcode Fuzzy Hash: f1fe00bcceb8afe57bfa8cf66662ac15a3317707e0f09e11c59b0b34a350e1c4
                                                                                                          • Instruction Fuzzy Hash: 6F22C274A05268CFDB68EF65D9547ADBBF2FB89301F1080A9D409A7390DB399E81CF10
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07212680, Relevance: .4, Instructions: 449COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4bd35c94e7182d494d6aff2eeb273bbbfe8d961c162d9851b0eed67416b53f66
                                                                                                          • Instruction ID: edde38a74e3f226f2f3d28ff2c71e4efb5609eea46bab6ac37dbe571f0f9a3d2
                                                                                                          • Opcode Fuzzy Hash: 4bd35c94e7182d494d6aff2eeb273bbbfe8d961c162d9851b0eed67416b53f66
                                                                                                          • Instruction Fuzzy Hash: 2C22C274905268CFDB28EF65D9547ADBBF2FB8A305F1080A9D409A7390DB399E81CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07213938, Relevance: .3, Instructions: 327COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0ee614408bcb0c5c62bb1726690a2483ed45e1062dfea5ded365f78e34422afb
                                                                                                          • Instruction ID: 20f9d149b7d61a11190ea1994338dfae6b88ef8b89773ffd3e8c783648222e2a
                                                                                                          • Opcode Fuzzy Hash: 0ee614408bcb0c5c62bb1726690a2483ed45e1062dfea5ded365f78e34422afb
                                                                                                          • Instruction Fuzzy Hash: 05B1D4F0738113CBDB289B35884633A75E7BFD1A60F55882DD896CAAA9CF70C841C752
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 025A5869, Relevance: .3, Instructions: 294COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.282974582.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0ebd1c41acf2990b68e9f63abacf943866273e9538efcb2db4f086807ca7dbea
                                                                                                          • Instruction ID: 1cefd877336af601a8ce16e5c9606c233213e2fa226e3305a67ff02ed802b64f
                                                                                                          • Opcode Fuzzy Hash: 0ebd1c41acf2990b68e9f63abacf943866273e9538efcb2db4f086807ca7dbea
                                                                                                          • Instruction Fuzzy Hash: E4D12474E01218CFDB24CFA9C895BDDBBB2BF89304F5484A9D809AB355EB305A85CF54
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07212E80, Relevance: .3, Instructions: 294COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1793016d0d2c5cb014fb234f7d0474efd91cdf5ec90bc85e150a8461ce9ecbce
                                                                                                          • Instruction ID: a4832cdafae178ea0dd6210b9db91efaaf8934eebae81b732375257960f325f6
                                                                                                          • Opcode Fuzzy Hash: 1793016d0d2c5cb014fb234f7d0474efd91cdf5ec90bc85e150a8461ce9ecbce
                                                                                                          • Instruction Fuzzy Hash: DFD1AEB4E00218CFDB64EFA9D984B9DBBF2BF88304F1085AAD409A7255DB345E85CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07219928, Relevance: .3, Instructions: 294COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ba8a32fb30334b262565075d258d08e595e4d735879e3d2390e3af7f88ac0c64
                                                                                                          • Instruction ID: 398287da621a2fbbbae18d2ff5fc99aaacc4176ce44aa0d88b31033c9aee7a30
                                                                                                          • Opcode Fuzzy Hash: ba8a32fb30334b262565075d258d08e595e4d735879e3d2390e3af7f88ac0c64
                                                                                                          • Instruction Fuzzy Hash: 89D1C1B4E11258CFDB14DFA5D898B9EBBF2FB89301F10806AD40AA7354DB785A85CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07219918, Relevance: .3, Instructions: 293COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 42e0aaeb96405bf05f4ce4d36de7d13caec45ea4fa93094d2bc5b4a70f8a8c7d
                                                                                                          • Instruction ID: 810ac8efcf441079b3798203e708e0224501813a1680c67c46f69aec4331288b
                                                                                                          • Opcode Fuzzy Hash: 42e0aaeb96405bf05f4ce4d36de7d13caec45ea4fa93094d2bc5b4a70f8a8c7d
                                                                                                          • Instruction Fuzzy Hash: AED1D174E01258CFDB14DFA5D898B9DBBF2FB89301F1081AAD40AA7354DB785A85CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 025A5588, Relevance: .2, Instructions: 221COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.282974582.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c05b8757b79a55855828d82291e03c85d688ea68a66259185c0c8643f4f6f8ca
                                                                                                          • Instruction ID: 4ae1e2de899d1d5208248db1ef23c5042951c1bb71ad21c177a40358cec2c98d
                                                                                                          • Opcode Fuzzy Hash: c05b8757b79a55855828d82291e03c85d688ea68a66259185c0c8643f4f6f8ca
                                                                                                          • Instruction Fuzzy Hash: D8912674E00608DFDB14DFA9D481A9DBBB2FF89304F24C429E805AB354EB349942CF54
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07212E6F, Relevance: .2, Instructions: 210COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e3021b2a776dea12a5ea60ff47d30e59cc59cd920e67e2cac9962446d008b7e6
                                                                                                          • Instruction ID: 34c8e0a17c4281c55addf3814bec8d9fe6723561b195974b51a3e21fe6f5a085
                                                                                                          • Opcode Fuzzy Hash: e3021b2a776dea12a5ea60ff47d30e59cc59cd920e67e2cac9962446d008b7e6
                                                                                                          • Instruction Fuzzy Hash: EBA1F274E00618CFDB54EFA9D984B9DBBF2FF88300F1084AAD449A7255EB305A89CF51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 025A52DF, Relevance: .1, Instructions: 145COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.282974582.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: de1f40c3519f11ff768a11df6aa57a87027db9aff33e4005caf421e4c18eec82
                                                                                                          • Instruction ID: b5cc362a37d54b7ea0c33252724f521f568c6965ea43d9c9783bf689142dc3e2
                                                                                                          • Opcode Fuzzy Hash: de1f40c3519f11ff768a11df6aa57a87027db9aff33e4005caf421e4c18eec82
                                                                                                          • Instruction Fuzzy Hash: A6511174E042188FDB05DFB9D491AEEBBB2FF89304F14842AD805A7354EB349942CF55
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07219288, Relevance: .1, Instructions: 104COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0e0c897937e96badea8f4f70fe6c8eced82643a1ecc608d6350947d6f6c733c9
                                                                                                          • Instruction ID: 167c3d59377d36f3ab57fc24d1fb982d38f5cdc147fd855c5ed3f59298302671
                                                                                                          • Opcode Fuzzy Hash: 0e0c897937e96badea8f4f70fe6c8eced82643a1ecc608d6350947d6f6c733c9
                                                                                                          • Instruction Fuzzy Hash: 0641F230D102189FCB04EFA9D8A4ADEBBB2FF89300F10856AD815B7350EB746945CB50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07219298, Relevance: .1, Instructions: 98COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 02e2dc1af05c0f16d76466d0b0919b0fae54b9f059ad8d036ead91502a9bea30
                                                                                                          • Instruction ID: dc0620d5ada8002df9fd7d84e9020dc55124d831f03a8952b6215b813fe118b9
                                                                                                          • Opcode Fuzzy Hash: 02e2dc1af05c0f16d76466d0b0919b0fae54b9f059ad8d036ead91502a9bea30
                                                                                                          • Instruction Fuzzy Hash: 3E41B271D102189FCB04EFA9D894ADEBBB2FF89305F10852AD415B7354EB746945CB50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0721B8B1, Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 29421d3cd486c736159d289e047698dd9a098f765ae4f349e2f8f25279bf2a15
                                                                                                          • Instruction ID: 93ff301c89686eed367f157bd72f594746c2995b5b443b07b23a58b2e96cbb79
                                                                                                          • Opcode Fuzzy Hash: 29421d3cd486c736159d289e047698dd9a098f765ae4f349e2f8f25279bf2a15
                                                                                                          • Instruction Fuzzy Hash: 032139B1D042599FCB04EFA4E8587EEBBB1FF8A311F00646AC015B7291DB380A45CFA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0721B8C0, Relevance: .1, Instructions: 69COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 54cd903d558d822284866edf579f8c68df54df153ead5ed78784cf6f2b62d1f3
                                                                                                          • Instruction ID: 2e12d43b54ca32c65f4918cc110aba2713ee4977f55be463d3a19a44b800112f
                                                                                                          • Opcode Fuzzy Hash: 54cd903d558d822284866edf579f8c68df54df153ead5ed78784cf6f2b62d1f3
                                                                                                          • Instruction Fuzzy Hash: E521E8B1D102298FCF04EFA5E8187EEBBB5FB89315F006429C01573290DB785A85CFA4
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0721A9C9, Relevance: .0, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 38d5ee518dde40c7b65cfd7179f8ec3d9b88402a256a9faf523f04097fb6b8d8
                                                                                                          • Instruction ID: e531b4cb0b4eafadf8e7e95809f2441e7198087522c6be9de578ba1c0b71b36e
                                                                                                          • Opcode Fuzzy Hash: 38d5ee518dde40c7b65cfd7179f8ec3d9b88402a256a9faf523f04097fb6b8d8
                                                                                                          • Instruction Fuzzy Hash: 3301E4B0D0525AAFDB45EFB8D9043EEBFF0BF46205F1095AA8408A3291E7385A45CB95
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0721A9D8, Relevance: .0, Instructions: 33COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d2bf9ff62e90f8b8fe75b8728d59e2313e240b447b6f2a449cc10a7f73b2b3c6
                                                                                                          • Instruction ID: df811992696eb3f9b1b265e31e3f353df5c689b8b83e550be5f13e4804582657
                                                                                                          • Opcode Fuzzy Hash: d2bf9ff62e90f8b8fe75b8728d59e2313e240b447b6f2a449cc10a7f73b2b3c6
                                                                                                          • Instruction Fuzzy Hash: 19F0E2B0D05219EFCB04EFA8D9047AEFBF0BB49205F1095AA8409B3290EB345A85CB95
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07214CBC, Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CopyFileExW.KERNEL32(00000000,?,00000000,?,?,?), ref: 0721AC80
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: CopyFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 1304948518-0
                                                                                                          • Opcode ID: 99b5d73c1822514d5dbb714bc94f535a86d7bad2a96fbeb7eb283829a29deb3b
                                                                                                          • Instruction ID: afc1a52a41b51c4a9f4d427766d71784769bfccc4956c260456bdfa4f383c8b1
                                                                                                          • Opcode Fuzzy Hash: 99b5d73c1822514d5dbb714bc94f535a86d7bad2a96fbeb7eb283829a29deb3b
                                                                                                          • Instruction Fuzzy Hash: 0F8128B0E1530A9FDB14CFA9C8957DEBBF1BF58308F148029E815A7390EB749945CB91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0721AAC6, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CopyFileExW.KERNEL32(00000000,?,00000000,?,?,?), ref: 0721AC80
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: CopyFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 1304948518-0
                                                                                                          • Opcode ID: b4a358aaffaf4b516561170b08da221f5990ad37a8793e79bf74d24174a01290
                                                                                                          • Instruction ID: 925aab7d74865cf5f8c1701e7d92ea8248347fa6b5e14a6ab996ab6499679e8f
                                                                                                          • Opcode Fuzzy Hash: b4a358aaffaf4b516561170b08da221f5990ad37a8793e79bf74d24174a01290
                                                                                                          • Instruction Fuzzy Hash: 8B8116B0E1570A8FDB18CFA9C8957EEBBF1BF58304F148029E816AB390DB749945CB51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 025ACED4, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNEL32(?,?,?,00000000), ref: 025ADBFB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.282974582.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 6c09053e9b92286d81bc5e5544583cadcda8a0a63e65d194c275a31ce8436eec
                                                                                                          • Instruction ID: c82f98919484a93d880554febe407c32132ce505d73a8aef84a49af3c78ec61f
                                                                                                          • Opcode Fuzzy Hash: 6c09053e9b92286d81bc5e5544583cadcda8a0a63e65d194c275a31ce8436eec
                                                                                                          • Instruction Fuzzy Hash: FE2144B19002099FCB10DF9AC884BDEFBF4FB48324F108429E958A3640D378AA44CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07212422, Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 07212498
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: DeleteFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 4033686569-0
                                                                                                          • Opcode ID: 7c8bf3ee9f90aecbad9fc78cb25f46c810a0dff7ad4440c4ae0b05bc8ba1a6fe
                                                                                                          • Instruction ID: 28b6cfd2dc06d7dc8d014700d1138709e823124bb7589f46a4ee6a6c651866de
                                                                                                          • Opcode Fuzzy Hash: 7c8bf3ee9f90aecbad9fc78cb25f46c810a0dff7ad4440c4ae0b05bc8ba1a6fe
                                                                                                          • Instruction Fuzzy Hash: 902115B1D0065A8FCB10DF9AC4447EEBBF4FB58324F15852AE415A7640D738A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07211DB1, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 07211E2B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 94a709cbcb5a60da1c70375a69b7de4e6150e8d31d75010c0f03e961552209aa
                                                                                                          • Instruction ID: 0b7728fdad254df664f3f5832c56b5365fc5faaec79b628ca856cea6a71dfa39
                                                                                                          • Opcode Fuzzy Hash: 94a709cbcb5a60da1c70375a69b7de4e6150e8d31d75010c0f03e961552209aa
                                                                                                          • Instruction Fuzzy Hash: 882129B5D002499FCB10CF9AC484BDEFBF4FB48324F108429E959A7640D374A655CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07212428, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 07212498
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: DeleteFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 4033686569-0
                                                                                                          • Opcode ID: 6760115a862220e87f96f05ca9992a3dba0ed41669d9bf3ae67881bf29007ba5
                                                                                                          • Instruction ID: d1dcdbe5aadf26f974465d1a6693a515c1bb4320563e69600eda8d4253dc5503
                                                                                                          • Opcode Fuzzy Hash: 6760115a862220e87f96f05ca9992a3dba0ed41669d9bf3ae67881bf29007ba5
                                                                                                          • Instruction Fuzzy Hash: A31106B1D0062A9BCB10DF9AC444B9EFBF4FB48324F15856AE819B7640D738A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07211DB8, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 07211E2B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 17c5dba57d1987e3949e8acbe414c898e593967284efb2e1c61a8ef592c82e2f
                                                                                                          • Instruction ID: 4a1e59c09f682445f18d8df37740876f985c8b837aa46afd2802a80dbcbd84a8
                                                                                                          • Opcode Fuzzy Hash: 17c5dba57d1987e3949e8acbe414c898e593967284efb2e1c61a8ef592c82e2f
                                                                                                          • Instruction Fuzzy Hash: AE2126B1D002499FCB10CF9AC884BDEFBF4FB48320F108429E559A3240D378A644CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions

                                                                                                          Function 0721A448, Relevance: .4, Instructions: 367COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9bf3f15b95de2d590f371c6e77ade7ec3a089ab9560ef4c3fe650360abdc3a1c
                                                                                                          • Instruction ID: 26bff25909c4df03f6a2fedc6ebb95b8d5ec416a2172ced48810e0b64b4d886c
                                                                                                          • Opcode Fuzzy Hash: 9bf3f15b95de2d590f371c6e77ade7ec3a089ab9560ef4c3fe650360abdc3a1c
                                                                                                          • Instruction Fuzzy Hash: DE02C1B4D11229CFDB24CFA5C884BEEBBF2BB59304F14C1A9D409A7291DB349A85CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 025AA709, Relevance: .3, Instructions: 271COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.282974582.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d3b2eee343bcfe1b90cf3a0442863e97f10a96efc00155a9d39749abf3d525bb
                                                                                                          • Instruction ID: 5dc17a9ee41882299d098abf30c7bf32ce98fc19f33d3af9ffd84dfeb8e05e06
                                                                                                          • Opcode Fuzzy Hash: d3b2eee343bcfe1b90cf3a0442863e97f10a96efc00155a9d39749abf3d525bb
                                                                                                          • Instruction Fuzzy Hash: 2CD10530D21B5A8ADB10EB74D990A9DB371FFD5200F50DB9AE50937215EB70AAC9CF90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 025AA718, Relevance: .3, Instructions: 264COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.282974582.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d3f175280cb5bce2665842a1b71ea9d8964e79fc6a7c6b53fdadf8d1bdb59c0c
                                                                                                          • Instruction ID: 5be8234b7f02e419d5d2d790401bc868a5244297f328fbcad1730b4269d01cd9
                                                                                                          • Opcode Fuzzy Hash: d3f175280cb5bce2665842a1b71ea9d8964e79fc6a7c6b53fdadf8d1bdb59c0c
                                                                                                          • Instruction Fuzzy Hash: ACD1F430D21B5A9ADB10EB74D990A9DB371FFD5200F50DB9AE50937214EB70AAC9CF90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07216AC0, Relevance: .3, Instructions: 260COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a872d34fb166c27b5b3c6023786b4b81126f42316842ac8446c092a3976c3ae2
                                                                                                          • Instruction ID: 28b2499cad6a91662d8b1d485d35b976d56d0910b8fc20e1dc34230c737b9a33
                                                                                                          • Opcode Fuzzy Hash: a872d34fb166c27b5b3c6023786b4b81126f42316842ac8446c092a3976c3ae2
                                                                                                          • Instruction Fuzzy Hash: C681B274B281189BCB18AF7498A427F76B7BFC8304F15882DE406E7398DF749C129792
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0721A439, Relevance: .1, Instructions: 98COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 993d6902999cf44f5a1c1332fba11c690589b95aac9a3d64262eca7dbcd611b5
                                                                                                          • Instruction ID: 75991335f046d699c3f548bbc81d3c5719c71942a09573b788407587253d1610
                                                                                                          • Opcode Fuzzy Hash: 993d6902999cf44f5a1c1332fba11c690589b95aac9a3d64262eca7dbcd611b5
                                                                                                          • Instruction Fuzzy Hash: 9041A9B1E052189FDB28CFA6D8547DEBBF2BF89304F14C0AAD449A7255DB740A89CF50
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 07213E20, Relevance: .1, Instructions: 79COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.291202833.0000000007210000.00000040.00000001.sdmp, Offset: 07210000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7b8829090e17ce08c5b703bc3b941ad17767f32cd943c0087596a032f838c610
                                                                                                          • Instruction ID: 90edca871fa2b0b8ad02e59bc56e2f1bf25e508808c27814aaeb13f6809b2c83
                                                                                                          • Opcode Fuzzy Hash: 7b8829090e17ce08c5b703bc3b941ad17767f32cd943c0087596a032f838c610
                                                                                                          • Instruction Fuzzy Hash: 9B319FB5E106588BDB18CFAAD8446DEFBF2BFC9304F14C16AD418AB265EB705945CF40
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 025A5C8A, Relevance: .0, Instructions: 28COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.282974582.00000000025A0000.00000040.00000001.sdmp, Offset: 025A0000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f59fb6f1da6b5aa6f788a830b72d5f080c64372f4a2a511b28ecd5bab69a7030
                                                                                                          • Instruction ID: 5a19ca601004b459e0edc971ce1549734d7c725548e323b1d58fce192363a655
                                                                                                          • Opcode Fuzzy Hash: f59fb6f1da6b5aa6f788a830b72d5f080c64372f4a2a511b28ecd5bab69a7030
                                                                                                          • Instruction Fuzzy Hash: 28E0C276E001198FCF10CEA9D052AEDFBB1BB49326F90E522D418B3205E2349986CF69
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Analysis Process: a.exe PID: 7084 Parent PID: 3388 a.exeCOMMON

                                                                                                          Executed Functions

                                                                                                          Function 06B52050, Relevance: 1.7, APIs: 1, Instructions: 166processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateProcessAsUserW.KERNEL32(?,00000000,?,0000000A,?,?,?,?,?,?,?), ref: 06B521BB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.505069024.0000000006B50000.00000040.00000001.sdmp, Offset: 06B50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: CreateProcessUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 2217836671-0
                                                                                                          • Opcode ID: 5315771280ed8489bb27e2be3ec8d7acd06513ee61efde54f9913e60eca5f768
                                                                                                          • Instruction ID: 94f42c54d767073de7d8d470a2676f223a603685d2f932ba5eebf41f5568794f
                                                                                                          • Opcode Fuzzy Hash: 5315771280ed8489bb27e2be3ec8d7acd06513ee61efde54f9913e60eca5f768
                                                                                                          • Instruction Fuzzy Hash: 265117B1D002299FDB64CF99C840BDDBBB1BF48314F0585AAE958B7210DB759A89CF90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 06B52044, Relevance: 1.7, APIs: 1, Instructions: 173processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateProcessAsUserW.KERNEL32(?,00000000,?,0000000A,?,?,?,?,?,?,?), ref: 06B521BB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.505069024.0000000006B50000.00000040.00000001.sdmp, Offset: 06B50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: CreateProcessUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 2217836671-0
                                                                                                          • Opcode ID: 8c97f4b96a7a436769d28dc6d1350a35681ccf1db11132a3f47b364e6aa54b7b
                                                                                                          • Instruction ID: e6aedb70c233dce9a9d6d7431b486b20bc5209a3a43f4690ea8375360cf930a6
                                                                                                          • Opcode Fuzzy Hash: 8c97f4b96a7a436769d28dc6d1350a35681ccf1db11132a3f47b364e6aa54b7b
                                                                                                          • Instruction Fuzzy Hash: 23514971D002299FCF64CF99C840BDDBBB1BF48314F0584AAE958B7210DB759A89CF90
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 06B54C18, Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06B54CB0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.505069024.0000000006B50000.00000040.00000001.sdmp, Offset: 06B50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3559483778-0
                                                                                                          • Opcode ID: 3ac703abb094aff95e215483b15edc817432bb90d239f37d2f06ee565ab108df
                                                                                                          • Instruction ID: 7705c4cb3699d023e71ea987dd7172af3cfde64d86fae3c793d7f3328242eb67
                                                                                                          • Opcode Fuzzy Hash: 3ac703abb094aff95e215483b15edc817432bb90d239f37d2f06ee565ab108df
                                                                                                          • Instruction Fuzzy Hash: D42128B1D002099FCB50DFA9C8447EEBBF5FB48324F518829E915A7240C7789544CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 06B54C20, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06B54CB0
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.505069024.0000000006B50000.00000040.00000001.sdmp, Offset: 06B50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3559483778-0
                                                                                                          • Opcode ID: 83d6f4ebeaf8874019c3838d0318678daf0fdddaea452271227c6e818c7084f6
                                                                                                          • Instruction ID: a3bdd50c2a2d05f706619c6121b24d0d6e15d600b16e4635981be3275efa42cb
                                                                                                          • Opcode Fuzzy Hash: 83d6f4ebeaf8874019c3838d0318678daf0fdddaea452271227c6e818c7084f6
                                                                                                          • Instruction Fuzzy Hash: E22115B1D003599FCB10DFA9C884BEEBBF5FB48314F518429E919A7240D7789944CBA0
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 06B55000, Relevance: 1.6, APIs: 1, Instructions: 67threadinjectionCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetThreadContext.KERNEL32(?,00000000), ref: 06B55086
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.505069024.0000000006B50000.00000040.00000001.sdmp, Offset: 06B50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ContextThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 1591575202-0
                                                                                                          • Opcode ID: ca80df3af543de3224fba2735b343b2802288d90d79be4af6ef38468dcf56ca8
                                                                                                          • Instruction ID: cd2fb9be76ce443348294e8ba70b9a42721351e3489f25a0e14bb5b8835a61d1
                                                                                                          • Opcode Fuzzy Hash: ca80df3af543de3224fba2735b343b2802288d90d79be4af6ef38468dcf56ca8
                                                                                                          • Instruction Fuzzy Hash: C2215E71D043098FCB50DFA9C4447EEBBF4EF48228F55842ED559A7240CB78A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 06B53F48, Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 06B53FCE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.505069024.0000000006B50000.00000040.00000001.sdmp, Offset: 06B50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ContextThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 1591575202-0
                                                                                                          • Opcode ID: 1c8297cd39e5d485f6b3959c9e3a6b568ddccefe16287f7c7cd3d0739cc00723
                                                                                                          • Instruction ID: 3dcb211a9fc8bab528d864e5d3d2421514aa0d7e243c8187d02484c8fcdde3ed
                                                                                                          • Opcode Fuzzy Hash: 1c8297cd39e5d485f6b3959c9e3a6b568ddccefe16287f7c7cd3d0739cc00723
                                                                                                          • Instruction Fuzzy Hash: 55215C71D043088FCB50DFAAC4847EEBBF4EB48258F55842DE919A7340DB789944CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 06B55008, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetThreadContext.KERNEL32(?,00000000), ref: 06B55086
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.505069024.0000000006B50000.00000040.00000001.sdmp, Offset: 06B50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ContextThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 1591575202-0
                                                                                                          • Opcode ID: a5d8d4b0f1a5e1df1de05b0e97f3ed8271631be86c16ff9f56a053c1cfb6d8de
                                                                                                          • Instruction ID: d4709aef38ff5f18b6ab45f794dd93651f16a57d3196d73b29f0390eb90ad1fa
                                                                                                          • Opcode Fuzzy Hash: a5d8d4b0f1a5e1df1de05b0e97f3ed8271631be86c16ff9f56a053c1cfb6d8de
                                                                                                          • Instruction Fuzzy Hash: 05213A71D003088FCB50DFAAC4847EEBBF4EF48228F55842ED519A7240DB78A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 06B53F50, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetThreadContext.KERNEL32(?,00000000), ref: 06B53FCE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.505069024.0000000006B50000.00000040.00000001.sdmp, Offset: 06B50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ContextThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 1591575202-0
                                                                                                          • Opcode ID: 8410873ce481fc93a5deaed867782d1f0abe90fe856882b959706ddddeef0a80
                                                                                                          • Instruction ID: ad5dec71a1bd5f31dc7ee8e7c7a1ee52ffe1f895d90eb42576d624b2bcc02b82
                                                                                                          • Opcode Fuzzy Hash: 8410873ce481fc93a5deaed867782d1f0abe90fe856882b959706ddddeef0a80
                                                                                                          • Instruction Fuzzy Hash: 0C213971D003098FCB50DFAAC4847EEBBF4EB48268F55842DE519A7340DB789944CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04C4CED4, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNEL32(?,?,?,00000000), ref: 04C4DBFB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.502499376.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 1949f506ee1f3918e38d905f78264a55e137648ee86627aab4ee6a4629d51dbd
                                                                                                          • Instruction ID: 2204f33566dcbdd2f63c6df2091ed9454aebcc5542f625439526aadbe3da5080
                                                                                                          • Opcode Fuzzy Hash: 1949f506ee1f3918e38d905f78264a55e137648ee86627aab4ee6a4629d51dbd
                                                                                                          • Instruction Fuzzy Hash: 702106B59002499FDB10DF9AC984BDEBBF4FB48324F108429E559A7241D378A944DFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 06B54990, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06B54A06
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.505069024.0000000006B50000.00000040.00000001.sdmp, Offset: 06B50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: AllocVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4275171209-0
                                                                                                          • Opcode ID: 443d3084f2312175fcee59a79f0016651f9a35d5cbe93adb86b81fb2c410e13f
                                                                                                          • Instruction ID: 25ac780775af3396838a605100474c34bf806152a42dab5fc2ca3c5222fee8e6
                                                                                                          • Opcode Fuzzy Hash: 443d3084f2312175fcee59a79f0016651f9a35d5cbe93adb86b81fb2c410e13f
                                                                                                          • Instruction Fuzzy Hash: E41159718002489FCF10DFAAC845BEFBBF5EB48324F51882DE919A7240C775A544CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05F71DB1, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 05F71E2B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.504660857.0000000005F70000.00000040.00000001.sdmp, Offset: 05F70000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 83ee67c676eee52bececfb648952acff3cd388f27c768a114e105753d37998e6
                                                                                                          • Instruction ID: 52f9a290a41d9f1b8b960e3318f816f9d2ebcded9e89bdec433e0c5995e1c93c
                                                                                                          • Opcode Fuzzy Hash: 83ee67c676eee52bececfb648952acff3cd388f27c768a114e105753d37998e6
                                                                                                          • Instruction Fuzzy Hash: 12211AB5D006099FCB10DF9AC484BDEFBF4FB48324F50842AE959A3240D378A544CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05F72423, Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 05F72498
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.504660857.0000000005F70000.00000040.00000001.sdmp, Offset: 05F70000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: DeleteFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 4033686569-0
                                                                                                          • Opcode ID: 0a508f58fe3e829ded6dbd733c311d6898fb507081b6539339689eff6d605901
                                                                                                          • Instruction ID: 81e271f40031edcd03658cbcdf2c35057af01a473e3ace81f7bbe0399fec8afa
                                                                                                          • Opcode Fuzzy Hash: 0a508f58fe3e829ded6dbd733c311d6898fb507081b6539339689eff6d605901
                                                                                                          • Instruction Fuzzy Hash: 0E2124B6C006598FCB10CF9AC544BEEFBB4FB48324F15852AE819A7740D738A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05F72428, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteFileW.KERNEL32(00000000), ref: 05F72498
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.504660857.0000000005F70000.00000040.00000001.sdmp, Offset: 05F70000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: DeleteFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 4033686569-0
                                                                                                          • Opcode ID: 8758bb06035856db54f9499a56cf461f5b704696b0d687f1d7a8e177e70f2880
                                                                                                          • Instruction ID: e7e30588590e1b793a1af25c0cd2bde6fc2dc6c8fff831037f2b970d12d4b10b
                                                                                                          • Opcode Fuzzy Hash: 8758bb06035856db54f9499a56cf461f5b704696b0d687f1d7a8e177e70f2880
                                                                                                          • Instruction Fuzzy Hash: 671136B5C046198BCB10CF9AC444B9EFBF4FB48324F15852AE818B7740D738A944CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05F71DB8, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNEL32(?,?,?,?), ref: 05F71E2B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.504660857.0000000005F70000.00000040.00000001.sdmp, Offset: 05F70000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 250453404fd0e8bf21960c423f8946ae695db2050ec9f3611959f4f5ce18c1f7
                                                                                                          • Instruction ID: 0f1bf07d6ddf11c95dcbb964abea843dd7d3ba2ebf04e47121341d4292723ca5
                                                                                                          • Opcode Fuzzy Hash: 250453404fd0e8bf21960c423f8946ae695db2050ec9f3611959f4f5ce18c1f7
                                                                                                          • Instruction Fuzzy Hash: 6D21E4B5D006499FCB10DF9AC884BDEFBF4FB48324F10842AE959A7240D378A544CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 06B54998, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06B54A06
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.505069024.0000000006B50000.00000040.00000001.sdmp, Offset: 06B50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: AllocVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4275171209-0
                                                                                                          • Opcode ID: e95b4e9fe27fe97fff5052772c167c334fb0885043096fb22cd2f8659f583492
                                                                                                          • Instruction ID: 97411a15a4b29c31d791abe6d54375da004a787a5fe2bf3938d5102a48555eec
                                                                                                          • Opcode Fuzzy Hash: e95b4e9fe27fe97fff5052772c167c334fb0885043096fb22cd2f8659f583492
                                                                                                          • Instruction Fuzzy Hash: 441137719002489FCF10DFAAC844BEFBBF5EF48324F158819E515A7250CB75A944CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 06B55614, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.505069024.0000000006B50000.00000040.00000001.sdmp, Offset: 06B50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ResumeThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 947044025-0
                                                                                                          • Opcode ID: db7577d49b30611e586df07c9b82eb308ae7f3656fb53eb6478eb890cee7bf9a
                                                                                                          • Instruction ID: 3876be3349389472f3876188338323aabc739caebd51b2f99a5909139a2f650e
                                                                                                          • Opcode Fuzzy Hash: db7577d49b30611e586df07c9b82eb308ae7f3656fb53eb6478eb890cee7bf9a
                                                                                                          • Instruction Fuzzy Hash: 1B112BB1D043488BDB20DFAAC8447EFBBF4EB48224F55885DD515A7240CB79A544CFA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 06B55618, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.505069024.0000000006B50000.00000040.00000001.sdmp, Offset: 06B50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ResumeThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 947044025-0
                                                                                                          • Opcode ID: ae4963650bc8f02ec3ccf50e6f631d86142103dfbd2c5d30858fa3096e1267ab
                                                                                                          • Instruction ID: d11cb66d025faf6210c60121eae2b33069b3c6289041b5dfeb95f45607228225
                                                                                                          • Opcode Fuzzy Hash: ae4963650bc8f02ec3ccf50e6f631d86142103dfbd2c5d30858fa3096e1267ab
                                                                                                          • Instruction Fuzzy Hash: 64113DB1D043488BCB20DFAAC8447DFFBF4AB48224F15881DD515A7340CB75A544CFA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00D3D3B4, Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.491089463.0000000000D3D000.00000040.00000001.sdmp, Offset: 00D3D000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d465123b873fa753a6eaa1bcbead6f0af6e8e8b4bfb12df823359bb39a2788e0
                                                                                                          • Instruction ID: 2c47956c7996066a27deda76bf8f41098dca91fa977aacaeaf79e23394dfd24d
                                                                                                          • Opcode Fuzzy Hash: d465123b873fa753a6eaa1bcbead6f0af6e8e8b4bfb12df823359bb39a2788e0
                                                                                                          • Instruction Fuzzy Hash: 2C2137B1504240DFCB04DF14E8C0B26BB66FB94328F34C5A9E9454B246C336E856DFB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00D3D4A0, Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.491089463.0000000000D3D000.00000040.00000001.sdmp, Offset: 00D3D000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7abbe9438c474989f464004dc6e354bcc16e396c14f0a992b83967b4a30efd22
                                                                                                          • Instruction ID: 45234540bf22ce490638401dabf7452022ccfdfae1f16dd3e4e80f1a29b9a5b4
                                                                                                          • Opcode Fuzzy Hash: 7abbe9438c474989f464004dc6e354bcc16e396c14f0a992b83967b4a30efd22
                                                                                                          • Instruction Fuzzy Hash: D72125B1504240DFDB05DF14E8C0B26BF66FB98328F348569E9064B246C336D856DFB2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00D3D49B, Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.491089463.0000000000D3D000.00000040.00000001.sdmp, Offset: 00D3D000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                                                                          • Instruction ID: 9663d8becea18f1d5e95a729d2e1c1f6dc6b5251a6fc830d41940734afdadbe5
                                                                                                          • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                                                                          • Instruction Fuzzy Hash: F411B176804280CFCB12CF14D9C4B16BF72FB95324F2886A9D8050B616C336D85ACFA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00D3D3AF, Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.491089463.0000000000D3D000.00000040.00000001.sdmp, Offset: 00D3D000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                                                                          • Instruction ID: 2c1adbd08a3d8758bb2f40900cb1f61cbe4a054bd091d40ba0fba6098454aa3b
                                                                                                          • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                                                                          • Instruction Fuzzy Hash: 24119376504280DFCB15CF14D9C4B16BF72FB94324F28C6A9D8454B656C336E85ACFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00D3D805, Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.491089463.0000000000D3D000.00000040.00000001.sdmp, Offset: 00D3D000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c0bac179321fbb514b077ada5250b2e498e1eb81eebd52477b5fa9abe60919be
                                                                                                          • Instruction ID: a4e5755152f5ecdbdd3b1c00eb2dbd812da200b0eda9ada09f53eac4215aa804
                                                                                                          • Opcode Fuzzy Hash: c0bac179321fbb514b077ada5250b2e498e1eb81eebd52477b5fa9abe60919be
                                                                                                          • Instruction Fuzzy Hash: 3201F771409340DAD7204B26DC84766BBE8EF41378F18845AEE045B246C375E844DAB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00D3D804, Relevance: .0, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000006.00000002.491089463.0000000000D3D000.00000040.00000001.sdmp, Offset: 00D3D000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 542f17b1842e54b5e04552c559ef4566f778057d60d018d057318cd28093f7cd
                                                                                                          • Instruction ID: 59dd46ec7e79848fa5b8072a2c38071d601e9c4b9778f49d1ad83b10354c3d7c
                                                                                                          • Opcode Fuzzy Hash: 542f17b1842e54b5e04552c559ef4566f778057d60d018d057318cd28093f7cd
                                                                                                          • Instruction Fuzzy Hash: 02F06271405244AEE7208F16DCC4B62FBE8EB51774F28C45AED085B286C379AC44DAB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions

                                                                                                          Analysis Process: a.exe PID: 6132 Parent PID: 6284 a.exeCOMMON

                                                                                                          Executed Functions

                                                                                                          Function 02C7CED4, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 02C7DBFB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.286730671.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 4cdf253dce3878a3dc93efd3e07e571c94111bbde245cf815da866ba804b4609
                                                                                                          • Instruction ID: 0ce40ae688246f653b9e887c9b981b4006d7d8566a295a5dde81474cd29126a7
                                                                                                          • Opcode Fuzzy Hash: 4cdf253dce3878a3dc93efd3e07e571c94111bbde245cf815da866ba804b4609
                                                                                                          • Instruction Fuzzy Hash: BC2117B59006499FCB10DF9AD984BEEFBF4FF48324F108429E559A7240D378A984CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011DD3B4, Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.286153136.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0a1d3f7b85ebade71bcc1d56e654b14f450c8a2f9d267f640ac6a06addf23aea
                                                                                                          • Instruction ID: 44301ee3047ed206542e6e1efe9f41f536728adb58d4db85b0766af4706f34b0
                                                                                                          • Opcode Fuzzy Hash: 0a1d3f7b85ebade71bcc1d56e654b14f450c8a2f9d267f640ac6a06addf23aea
                                                                                                          • Instruction Fuzzy Hash: F92128B1504240EFDF09DF94E8C0B66BB65FB84324F24C569E9054B686C736E856C7A2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011DD4A0, Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.286153136.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6524b9bd30bf157b0ec7b77e5575e2899a64bb939cda96f3a9e1facbb1bfb2a1
                                                                                                          • Instruction ID: ef46ef6726474ce9517ec92d11410df1a984fffa1dd7c0a8b900c1640d2a36ba
                                                                                                          • Opcode Fuzzy Hash: 6524b9bd30bf157b0ec7b77e5575e2899a64bb939cda96f3a9e1facbb1bfb2a1
                                                                                                          • Instruction Fuzzy Hash: 562128B1504240DFDF19DF98E9C0B26BF75FB84328F6485A9E9054B286C336E855CBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011DD49B, Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.286153136.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                                                                          • Instruction ID: 9e3aa11c682ed4cd06b9dea9c51ee6e90c6487dd81174ca2a5e8c0b3bb82d69e
                                                                                                          • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                                                                          • Instruction Fuzzy Hash: C911E176804280DFCF06CF48D9C0B16BF71FB84324F2482A9D8054B257C336D45ACBA2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011DD3AF, Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.286153136.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                                                                          • Instruction ID: 016989c053b755fefaa51310ed18327996af08e5a8bda5b4e119ea3da3f733b1
                                                                                                          • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                                                                          • Instruction Fuzzy Hash: 0C11B176404280DFCF16CF54D5C4B56BF71FB84324F24C6A9D8450BA56C33AE45ACBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011DD805, Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.286153136.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 17192a63ae50b286c2d16a1fdb9003cbf5664638b59fe59a82159947d0d051a4
                                                                                                          • Instruction ID: 04fd846b6bc590b63c1d19af43f5894c2545f6b46c6dabc6a2fc2c4624581c52
                                                                                                          • Opcode Fuzzy Hash: 17192a63ae50b286c2d16a1fdb9003cbf5664638b59fe59a82159947d0d051a4
                                                                                                          • Instruction Fuzzy Hash: 3B014771408340EAEF2A4B6ADCC1762BF9CEF41238F08C05AEE0C5B283C3349844C6B2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 011DD804, Relevance: .0, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.286153136.00000000011DD000.00000040.00000001.sdmp, Offset: 011DD000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dd2692fbe304092813d656e69683576faf36238049da7d9d3c2bba5398202add
                                                                                                          • Instruction ID: 88958945bcbfa9b9da9146b05e3d22c553fce9d1c53da83275473818f26deadc
                                                                                                          • Opcode Fuzzy Hash: dd2692fbe304092813d656e69683576faf36238049da7d9d3c2bba5398202add
                                                                                                          • Instruction Fuzzy Hash: 5EF06271405254AEEB258F1ADCC5B62FF98EB41674F18C45AED085B286C3799844CAB1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions

                                                                                                          Analysis Process: InstallUtil.exe PID: 6160 Parent PID: 7084 InstallUtil.exeCOMMON

                                                                                                          Executed Functions

                                                                                                          Function 04E593E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 04E5962E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501642163.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: HandleModule
                                                                                                          • String ID:
                                                                                                          • API String ID: 4139908857-0
                                                                                                          • Opcode ID: 5f507338a9e75eb308e525e6d3998fb1cd30f565be8b15cd14f30094e1cb3fae
                                                                                                          • Instruction ID: 6356b74fe69b324713280af27cea5f581039dbc330655bc64621c07baba586bd
                                                                                                          • Opcode Fuzzy Hash: 5f507338a9e75eb308e525e6d3998fb1cd30f565be8b15cd14f30094e1cb3fae
                                                                                                          • Instruction Fuzzy Hash: 3A7116B0A00B058FDB64DF2AD48179ABBF1FF88318F10892DD98AD7A50D774F8458B91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04E5FBEC, Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E5FD0A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501642163.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: CreateWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 716092398-0
                                                                                                          • Opcode ID: 701b6e3d8e1b1d15692e0c9acb7c525afb29c2126dbef0dc5741495a4e9b747a
                                                                                                          • Instruction ID: 441208a07ea9d79c727dc6a66876eb29d668448f79ecfca86b0c6dac3461762d
                                                                                                          • Opcode Fuzzy Hash: 701b6e3d8e1b1d15692e0c9acb7c525afb29c2126dbef0dc5741495a4e9b747a
                                                                                                          • Instruction Fuzzy Hash: 5551B1B1D00209DFDB14CF9AD884ADEBFB5FF88314F24852AE819AB210D774A945CF91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04E5DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E5FD0A
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501642163.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: CreateWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 716092398-0
                                                                                                          • Opcode ID: f7f2ca516ab806a7557f958d4fe3f3b4cc71961d4583fd3240eb869a238847e6
                                                                                                          • Instruction ID: 8d468d1633a9b117ab3ec2526b1cb757a5814ab9d56654f7d9f117d2da7777a4
                                                                                                          • Opcode Fuzzy Hash: f7f2ca516ab806a7557f958d4fe3f3b4cc71961d4583fd3240eb869a238847e6
                                                                                                          • Instruction Fuzzy Hash: 5A51A2B1D00309EFDB14CF9AD884ADEBFB5BF88314F24852AE815AB210D774A945CF91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F245F4, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 04F246B1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: Create
                                                                                                          • String ID:
                                                                                                          • API String ID: 2289755597-0
                                                                                                          • Opcode ID: 18b26a769a4a746d67a90e6bcded837aa5374becfcd39d58ee3db53f1a4dafa5
                                                                                                          • Instruction ID: 48307f67cce9e00944e2db9a4ccc5a429934dcd85c95324079cf220db0d9f97b
                                                                                                          • Opcode Fuzzy Hash: 18b26a769a4a746d67a90e6bcded837aa5374becfcd39d58ee3db53f1a4dafa5
                                                                                                          • Instruction Fuzzy Hash: 4B411371C04358CFDB25DFA5C9447CEBBB1BF8A308F24805AD518AB251DBB4694ACFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F23474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 04F246B1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: Create
                                                                                                          • String ID:
                                                                                                          • API String ID: 2289755597-0
                                                                                                          • Opcode ID: dc616f7307ddf5bcbdde20c72d95ced9c6effa747524950046b3b93c6c42b190
                                                                                                          • Instruction ID: ebc28cb7066dad10babd89c30f2e3fa8c5ce5d2773e6c914f806bfc955cb6dad
                                                                                                          • Opcode Fuzzy Hash: dc616f7307ddf5bcbdde20c72d95ced9c6effa747524950046b3b93c6c42b190
                                                                                                          • Instruction Fuzzy Hash: 7A411271C0422CCBDB24DFA9C944BDEBBB1BF49308F208059D508BB250DBB5694ACF91
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F22470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F22531
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: CallProcWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2714655100-0
                                                                                                          • Opcode ID: 1bffd98aa3b3b0a9759a313add6081ece9355e2805c1df3bd08a109dfb4b5672
                                                                                                          • Instruction ID: 46e105cf907ff6f4fab2e75fc37ad86b476f65fab430f527fd775c8c21a7f916
                                                                                                          • Opcode Fuzzy Hash: 1bffd98aa3b3b0a9759a313add6081ece9355e2805c1df3bd08a109dfb4b5672
                                                                                                          • Instruction Fuzzy Hash: 0E4149B9A00215CFDB10CF99C489AAABBF5FB88314F25C499D519AB321D734E841CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F2B898, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: CreateFromIconResource
                                                                                                          • String ID:
                                                                                                          • API String ID: 3668623891-0
                                                                                                          • Opcode ID: 1bb7187c8ef8fff896b0d86e71150dcb129b60df5bc1b8759601d1b9745447e4
                                                                                                          • Instruction ID: 9343b4491a37674ea14ad360c6993af2a46da8e748e0e5c36f95b03f76bf182b
                                                                                                          • Opcode Fuzzy Hash: 1bb7187c8ef8fff896b0d86e71150dcb129b60df5bc1b8759601d1b9745447e4
                                                                                                          • Instruction Fuzzy Hash: 023178729042999FDB11DFAAC900AEEBFF8EF49310F04845AF954A7221C335A855DFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04E5BCF9, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04E5BCC6,?,?,?,?,?), ref: 04E5BD87
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501642163.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3793708945-0
                                                                                                          • Opcode ID: ecd97306c58b3d6ccedd43109a99b6993f41bf34dff2cc461784e3c865157a36
                                                                                                          • Instruction ID: 165789cdf4049a2cbc1f2ad8366a2e1672e0c1083d9871f2b8621831734134bb
                                                                                                          • Opcode Fuzzy Hash: ecd97306c58b3d6ccedd43109a99b6993f41bf34dff2cc461784e3c865157a36
                                                                                                          • Instruction Fuzzy Hash: 0721E6B5D00218DFDB10DF9AD885AEEBFF4EB48324F14841AE914A7310D378A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04E5A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04E5BCC6,?,?,?,?,?), ref: 04E5BD87
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501642163.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 3793708945-0
                                                                                                          • Opcode ID: b22bfb3b7c790b485291cd1c93219bc2df3861e68ed2f13bbec8b966cd129f80
                                                                                                          • Instruction ID: 8c14405a2a36b5bc61a0b713ea7f820c771c60fc68efc84e4976d7e9ff04ca6c
                                                                                                          • Opcode Fuzzy Hash: b22bfb3b7c790b485291cd1c93219bc2df3861e68ed2f13bbec8b966cd129f80
                                                                                                          • Instruction Fuzzy Hash: 9E21C6B5D00248EFDB10DF9AD885AEEBFF4EB48324F14845AE914A7310D374A954CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F2A504, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,04F2B8B2,?,?,?,?,?), ref: 04F2B957
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: CreateFromIconResource
                                                                                                          • String ID:
                                                                                                          • API String ID: 3668623891-0
                                                                                                          • Opcode ID: bb0da5a47fc689e42dce8f43c5880e02d6e8d31aa50dba341e5269d36e7f1b21
                                                                                                          • Instruction ID: 6e1439e92c1d5b28899cc78fed2b80e6bc86c1caf6070c8867e7e04c3290cf56
                                                                                                          • Opcode Fuzzy Hash: bb0da5a47fc689e42dce8f43c5880e02d6e8d31aa50dba341e5269d36e7f1b21
                                                                                                          • Instruction Fuzzy Hash: 4C1167B5800259DFDB10DFAAC844BEEBFF8EB48324F14841AE914B3210C334A954DFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04E58768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,04E596A9,00000800,00000000,00000000), ref: 04E598BA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501642163.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: LibraryLoad
                                                                                                          • String ID:
                                                                                                          • API String ID: 1029625771-0
                                                                                                          • Opcode ID: e787589d4d0094f815731b8859623db8bf0472279562a81cae51e9a8d09f4ff6
                                                                                                          • Instruction ID: 3bc3200c9fbcd1505cf91bdcad8f76a9c1511ad65f19e11b4ffd5171a68aa276
                                                                                                          • Opcode Fuzzy Hash: e787589d4d0094f815731b8859623db8bf0472279562a81cae51e9a8d09f4ff6
                                                                                                          • Instruction Fuzzy Hash: 501103B6D00209DFDB10DF9AC444BDEBBF4EB88324F14842EE915A7610C374A945CFA5
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04E5984F, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,04E596A9,00000800,00000000,00000000), ref: 04E598BA
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501642163.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: LibraryLoad
                                                                                                          • String ID:
                                                                                                          • API String ID: 1029625771-0
                                                                                                          • Opcode ID: ed63bcfb0a8e453ce5cfcc7c386c3d1429e9d9d6e6f1802c54778584ad223dee
                                                                                                          • Instruction ID: f01ac0e85e806a15c5b4f0bfd9399f0a95207efa438546502488a076ec2ef2c4
                                                                                                          • Opcode Fuzzy Hash: ed63bcfb0a8e453ce5cfcc7c386c3d1429e9d9d6e6f1802c54778584ad223dee
                                                                                                          • Instruction Fuzzy Hash: 8711E2B6D002099FDB10DF9AD444ADEFBF4EB88324F14842AE919A7610C374A545CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F232D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,010E53E8,00000000,?), ref: 04F2E73D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost
                                                                                                          • String ID:
                                                                                                          • API String ID: 410705778-0
                                                                                                          • Opcode ID: fb8f2ea8c0e791a0a73448833e264320589d40727700500665d649533c81a9de
                                                                                                          • Instruction ID: 4c32e59bbdb3483604fb38020243fe12ff32feb689e1c078c7d45a562284cd01
                                                                                                          • Opcode Fuzzy Hash: fb8f2ea8c0e791a0a73448833e264320589d40727700500665d649533c81a9de
                                                                                                          • Instruction Fuzzy Hash: 671128B58003599FDB10DF9AC945BEEBFF8EB58324F14841AE954A3240D378A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F2E6D8, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,010E53E8,00000000,?), ref: 04F2E73D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost
                                                                                                          • String ID:
                                                                                                          • API String ID: 410705778-0
                                                                                                          • Opcode ID: c5571f10e0a1367d7a1ab300c7b83246df58aa0e5b162bac4846d85785186276
                                                                                                          • Instruction ID: 15a87b0f02570f7e995f9d16dd903fa17719b1f861d78b5f3a0b10fc96d85475
                                                                                                          • Opcode Fuzzy Hash: c5571f10e0a1367d7a1ab300c7b83246df58aa0e5b162bac4846d85785186276
                                                                                                          • Instruction Fuzzy Hash: 18112BB5800349DFDB10DF9AD845BEEBBF8FB58324F148419E514A3200D378A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04E595C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 04E5962E
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501642163.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: HandleModule
                                                                                                          • String ID:
                                                                                                          • API String ID: 4139908857-0
                                                                                                          • Opcode ID: 96c7f5df50d647924837a10d2f3d6141bcf7c6b6af6f1a5f7113c093b6137c26
                                                                                                          • Instruction ID: 6955b62c2e7bb3edadefc7ec41ff0641769e9eb494f9efdbf85a4c997afd22a8
                                                                                                          • Opcode Fuzzy Hash: 96c7f5df50d647924837a10d2f3d6141bcf7c6b6af6f1a5f7113c093b6137c26
                                                                                                          • Instruction Fuzzy Hash: 5811E0B5C00649CFDB20DF9AD444BDEFBF4AB88324F14881AD819A7610D374A549CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04E5DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04E5FE28,?,?,?,?), ref: 04E5FE9D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501642163.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: LongWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1378638983-0
                                                                                                          • Opcode ID: b95c844c2548a19047b953c3860e2c49c116e30297c24cad6937be30b41e95ef
                                                                                                          • Instruction ID: c2dac876b6def23f89211b6cecf52cf48189fdf86b193c914e0a04ebb231dffc
                                                                                                          • Opcode Fuzzy Hash: b95c844c2548a19047b953c3860e2c49c116e30297c24cad6937be30b41e95ef
                                                                                                          • Instruction Fuzzy Hash: 8B1106B59002489FDB10DF9AD585BDFBBF8EB48324F10845AE915A7341D374A944CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F21540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,04F2226A,?,00000000,?), ref: 04F2C435
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: a305ce59aacb604bdc005a2acb4127c15b9956afaa0b955b9424f2929d01e5ba
                                                                                                          • Instruction ID: 71295023704868fec4d5ebb4b0684682103f13f78423b893eb07cc00628667df
                                                                                                          • Opcode Fuzzy Hash: a305ce59aacb604bdc005a2acb4127c15b9956afaa0b955b9424f2929d01e5ba
                                                                                                          • Instruction Fuzzy Hash: AD11F2B58007589FDB20DF9AD985BEFBFF8EB48324F10881AE514A7600D374A944CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F2A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 04F2BCBD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: 865bceb3a0239483f3f46009a96479b6c57363d99c8b3166a66d3bafc12e8eb8
                                                                                                          • Instruction ID: b2d0a42820298ce3669191f9b8919f67de91969b8272352d8e9b8015fb53fb86
                                                                                                          • Opcode Fuzzy Hash: 865bceb3a0239483f3f46009a96479b6c57363d99c8b3166a66d3bafc12e8eb8
                                                                                                          • Instruction Fuzzy Hash: B511F2B5900359DFDB20DF9AD985BEEBBF8EB48324F10841AE914A7300D374A944CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F250D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00000018,00000001,?), ref: 04F2D29D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: 68d10716ea0fc91b48efe685b6c4bebff8c93b230fe6f722fc4eb0766570e183
                                                                                                          • Instruction ID: 9e2bd25a2e03ecbe0117c60dec49df89596bdd10749edf7be066a7d67d108ffc
                                                                                                          • Opcode Fuzzy Hash: 68d10716ea0fc91b48efe685b6c4bebff8c93b230fe6f722fc4eb0766570e183
                                                                                                          • Instruction Fuzzy Hash: A411F5B58002489FDB10DF9AD545BDEBBF8EB48324F108419E914A7340D374A944CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F2D238, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,00000018,00000001,?), ref: 04F2D29D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: fa6a6001967311fd41023729a9e6e3c65b0195e8eab6367cd11105c0c0e7e739
                                                                                                          • Instruction ID: 9935b41d74e1483693b96c9cb58c4eba7a392c12046bee0170dd2caa8fbc9ca8
                                                                                                          • Opcode Fuzzy Hash: fa6a6001967311fd41023729a9e6e3c65b0195e8eab6367cd11105c0c0e7e739
                                                                                                          • Instruction Fuzzy Hash: 1D11C5B58003499FDB10DF9AD985BDEBFF8EB48324F10881AE554A7640D374A954CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F2C3D0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,04F2226A,?,00000000,?), ref: 04F2C435
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: 9be3caeabb0cacbfa72215d6d60dc41a0c4b2534f301c331e9a1bad803a76494
                                                                                                          • Instruction ID: c5324efd924963dc8a2122328e9673b7332920dc855c2bcd0464317adec8f9a5
                                                                                                          • Opcode Fuzzy Hash: 9be3caeabb0cacbfa72215d6d60dc41a0c4b2534f301c331e9a1bad803a76494
                                                                                                          • Instruction Fuzzy Hash: 3511F2B58007489FDB20DF9AD985BEFBFF8EB48324F10881AE554A3200D374A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F2F3D8, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OleInitialize.OLE32(00000000), ref: 04F2F435
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: Initialize
                                                                                                          • String ID:
                                                                                                          • API String ID: 2538663250-0
                                                                                                          • Opcode ID: c46d6dc2760f1bb51c5699bac3ed7ae8d45f835a1076fa18fcaabdb3c6ea2adb
                                                                                                          • Instruction ID: 393bf8bbb74c09015a99b72a1ef27c335ed7a0f7ba34aca1a2a037187640a81a
                                                                                                          • Opcode Fuzzy Hash: c46d6dc2760f1bb51c5699bac3ed7ae8d45f835a1076fa18fcaabdb3c6ea2adb
                                                                                                          • Instruction Fuzzy Hash: 591103B58006488FDB10DFAAD549BDEBFF4EB49324F248859E519A7300C375A545CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F2DC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OleInitialize.OLE32(00000000), ref: 04F2F435
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: Initialize
                                                                                                          • String ID:
                                                                                                          • API String ID: 2538663250-0
                                                                                                          • Opcode ID: c5433b76a68679d2d6d7c94b6f6b05ce69322c50914845ff507353a0b9cf740d
                                                                                                          • Instruction ID: 704280284055155873f64e9156c47860400e2e8e5ef0d8add1560c30ac523252
                                                                                                          • Opcode Fuzzy Hash: c5433b76a68679d2d6d7c94b6f6b05ce69322c50914845ff507353a0b9cf740d
                                                                                                          • Instruction Fuzzy Hash: 331133B59046488FCB20DF9AD444B9EBBF4EB48324F10845AE519A3300D374A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04F2BC59, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 04F2BCBD
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: MessageSend
                                                                                                          • String ID:
                                                                                                          • API String ID: 3850602802-0
                                                                                                          • Opcode ID: fa2eae41e4eb3c294c02eab2f71ba40d63d6a77011d47965fbe6db9a7dd0b75f
                                                                                                          • Instruction ID: 60429dd980af198ac9d4fa409675b1ce25fb800ead14c0ca075242c1f070b3a2
                                                                                                          • Opcode Fuzzy Hash: fa2eae41e4eb3c294c02eab2f71ba40d63d6a77011d47965fbe6db9a7dd0b75f
                                                                                                          • Instruction Fuzzy Hash: 0211F2B5800259DFDB10DF9AD584BDEBFF8EB48324F20841AE914A7700C374A945CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 04E5FE3F, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04E5FE28,?,?,?,?), ref: 04E5FE9D
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501642163.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID: LongWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 1378638983-0
                                                                                                          • Opcode ID: 9745625c7b1ff789d0f40254e16afa9599d0ea5bfe60422d4a9713f1f5a0def0
                                                                                                          • Instruction ID: ec6dc73e2806abadbc7e858205e1d1d7efc519e40960ab5251d4999bbd81564a
                                                                                                          • Opcode Fuzzy Hash: 9745625c7b1ff789d0f40254e16afa9599d0ea5bfe60422d4a9713f1f5a0def0
                                                                                                          • Instruction Fuzzy Hash: 2311E2B58002499FDB20DF9AD585BDEBFF8EB88324F10845AE919A7340C374A944CFA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions

                                                                                                          Function 04F2C040, Relevance: .0, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000009.00000002.501917587.0000000004F20000.00000040.00000001.sdmp, Offset: 04F20000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ec200ebe0cbc36b23a815f5ba60d149d37e753c2c1344f33cfdf516f7eb58fa2
                                                                                                          • Instruction ID: ee013e1e78841d34009d8a9cd1198b8c27ed645b410da5c8de20f61bd83a47cf
                                                                                                          • Opcode Fuzzy Hash: ec200ebe0cbc36b23a815f5ba60d149d37e753c2c1344f33cfdf516f7eb58fa2
                                                                                                          • Instruction Fuzzy Hash: 34F0BE32A102549BEB24CF29E841BDAB7B8FB45724F004469E955DB360EB71FC19C781
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Analysis Process: dhcpmon.exe PID: 5440 Parent PID: 3388 dhcpmon.exeCOMMON

                                                                                                          Executed Functions

                                                                                                          Function 050207C8, Relevance: .5, Instructions: 502COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f4abcd1f52f397ca53a94e8eb5e6bea99aba4c5be4efdf029fbb1e10e7a5b6de
                                                                                                          • Instruction ID: 42126f6a9ee98fb64093bb0dbe445b9a78a6104b15ea9f0f28291b5e8c676dd7
                                                                                                          • Opcode Fuzzy Hash: f4abcd1f52f397ca53a94e8eb5e6bea99aba4c5be4efdf029fbb1e10e7a5b6de
                                                                                                          • Instruction Fuzzy Hash: F11248747016248FDB58EB78E9A8A6E77F2AF88308F158469D506CB3A5DF31DC46CB40
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0502096D, Relevance: .2, Instructions: 231COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 70d117afd9c553e8333045a816d42cb4fea3355f80adc92f7539b6bdf83859e0
                                                                                                          • Instruction ID: 8b55802f3481bb83907560f8830d723d9c6eaeb88d3e70a9ed23130ddc49a9a6
                                                                                                          • Opcode Fuzzy Hash: 70d117afd9c553e8333045a816d42cb4fea3355f80adc92f7539b6bdf83859e0
                                                                                                          • Instruction Fuzzy Hash: 85915E707006148FCB68EF78D5A8A6E77F2AF89308B258468E506CB7A5DF30DC42CB51
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05020488, Relevance: .1, Instructions: 131COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 52abd6bfef089158f96c36c3b2ddad7fbec245af277960c24702eddfd1693e7e
                                                                                                          • Instruction ID: ab049c3c4d1ef1375e915c069fc50f638cdabc62a8973b058a7234a992deb5d9
                                                                                                          • Opcode Fuzzy Hash: 52abd6bfef089158f96c36c3b2ddad7fbec245af277960c24702eddfd1693e7e
                                                                                                          • Instruction Fuzzy Hash: 884119747002208FCB58EF78D45896E37E2AF8A61871249A9E506CF7B5DB35DC45CBA0
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05020498, Relevance: .1, Instructions: 127COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 361b430a56a32207423a4dd7135d2ecab8bfe5225610646040f254691781165c
                                                                                                          • Instruction ID: dfa9b825c068aaac3241e874dac0010b3698f09a84649699eaa83662a857e29d
                                                                                                          • Opcode Fuzzy Hash: 361b430a56a32207423a4dd7135d2ecab8bfe5225610646040f254691781165c
                                                                                                          • Instruction Fuzzy Hash: 914117747002208FCB58EF78D45896E77E2AF8A65871248A8E506CF7B5DF35EC45CBA0
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05020380, Relevance: .1, Instructions: 119COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ed0a6c3758a4c9ea9ea15dd29ede6ca0098c94f09053a6ef96f5cfe3c8ddb62a
                                                                                                          • Instruction ID: c61c7f84951a57d39ff7afb5cde397b835d3b56b8af4adb40ecc9e0379150ac9
                                                                                                          • Opcode Fuzzy Hash: ed0a6c3758a4c9ea9ea15dd29ede6ca0098c94f09053a6ef96f5cfe3c8ddb62a
                                                                                                          • Instruction Fuzzy Hash: 5BF0ECB0D0A2449FC702EBB0E9965DD3BB0DF0110CF1145DAC444D7653E9314F099761
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05020641, Relevance: .1, Instructions: 85COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 261078377b4ab7d4f15a8318d3b0cb2cc2cfe90268d777099455b96a21cfdf63
                                                                                                          • Instruction ID: 95f1f47df81e7e7c1a2a6eac29ccaadd9ea3aab74a1125a597e3ba7fcaccc2c9
                                                                                                          • Opcode Fuzzy Hash: 261078377b4ab7d4f15a8318d3b0cb2cc2cfe90268d777099455b96a21cfdf63
                                                                                                          • Instruction Fuzzy Hash: C321D4323043258FD7549B7AF8ACA6E77E9FFC4618B15803AD10AD7650DA72D8028790
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00F9D5F4, Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.325683630.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dc728c3812f73ff91939ca9367526d56798c649df69507004bb7f6cc59aabc5d
                                                                                                          • Instruction ID: 05188f152ab37839ac3f1f81e75d337d095e9206b52f330d2e6ad68721de005e
                                                                                                          • Opcode Fuzzy Hash: dc728c3812f73ff91939ca9367526d56798c649df69507004bb7f6cc59aabc5d
                                                                                                          • Instruction Fuzzy Hash: C92137B6904244DFEF04DF10D9C0F26BF65FB88328F348569EA094B246C336D856EBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05020F80, Relevance: .1, Instructions: 67COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8597836450fddf671be3f81f02b64fbb3a0d7a3102ccb2c98bd6c2be0fb71573
                                                                                                          • Instruction ID: 6ba3e33d0802d24833d9220591c5701ce01c16619620fc9e14f593d75d5a1510
                                                                                                          • Opcode Fuzzy Hash: 8597836450fddf671be3f81f02b64fbb3a0d7a3102ccb2c98bd6c2be0fb71573
                                                                                                          • Instruction Fuzzy Hash: 10115B3130C3605FCB51A774A42A16DBBD2DF8621C717886AD986DB791CF34AC06C7D2
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05021058, Relevance: .1, Instructions: 57COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f52510937d206dd13c1999daecd04c074b0d90633367e37bde2608585fcfd0e2
                                                                                                          • Instruction ID: c4ba3e6a8b3232b9074cef5e468b669dd8db115f5518b03d805bffc29d56e58f
                                                                                                          • Opcode Fuzzy Hash: f52510937d206dd13c1999daecd04c074b0d90633367e37bde2608585fcfd0e2
                                                                                                          • Instruction Fuzzy Hash: FD0184713184A80FD724B3B8D814B6F36AECBD9209F13406AE14AC77D5CE944C0657B1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 00F9D5EF, Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.325683630.0000000000F9D000.00000040.00000001.sdmp, Offset: 00F9D000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                                                                          • Instruction ID: e6d35a48ffaeb8c4feee89e943a22f73ccfa5a607a4b12a0be266b046bf3a575
                                                                                                          • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                                                                                          • Instruction Fuzzy Hash: AB11B176804280CFDF15CF10D9C4B16BF71FB94324F3486A9D8490B616C33AD85ADBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05021068, Relevance: .0, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 732678deb7ab53d3d8b502516c97bf4bedb6e4de327391dce604faf1219cb568
                                                                                                          • Instruction ID: 7f29af92779a555599c42503aa424835e7c843376b1c9a22050c51ed5db91c47
                                                                                                          • Opcode Fuzzy Hash: 732678deb7ab53d3d8b502516c97bf4bedb6e4de327391dce604faf1219cb568
                                                                                                          • Instruction Fuzzy Hash: F4014F713188AC1BD668B7B8D814B2F32DEDBD9619F134029B24AC77D4CEA48C0653B1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05020F4F, Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 800605e42a57503895c63f6af44d256dc1f4f6f665bdd7b86a1675f968dda002
                                                                                                          • Instruction ID: 933ea1ac832ee06d1de655d22b0cb78ebb139e760bf7ac406b64db6558150cac
                                                                                                          • Opcode Fuzzy Hash: 800605e42a57503895c63f6af44d256dc1f4f6f665bdd7b86a1675f968dda002
                                                                                                          • Instruction Fuzzy Hash: 14F0C27154E3E56FCB634B70682949DBFB1AE83210B1F849FD4C1CB683C6341846CBA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05021118, Relevance: .0, Instructions: 20COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 190222e946129bfe0444d8e6d423128d35dce20fe66d7edb2bf23237ef105028
                                                                                                          • Instruction ID: 2604d2537ccfe14024b6029b5db5ff6bcb9d107a3bae04ad67936b1a5d21b97b
                                                                                                          • Opcode Fuzzy Hash: 190222e946129bfe0444d8e6d423128d35dce20fe66d7edb2bf23237ef105028
                                                                                                          • Instruction Fuzzy Hash: E8D05E323501248FC7049BB9F848EA677ECEB49665B0580A6E60CCB221DAB2D8008790
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 05020448, Relevance: .0, Instructions: 19COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 685bf89384679428ec451f9bf4d323c1cd18968f54a03352eff949a226758a21
                                                                                                          • Instruction ID: 8ffea702217e4fe9c2a192c65039078cb839fb14b658205745aa6bf5b70bd8a0
                                                                                                          • Opcode Fuzzy Hash: 685bf89384679428ec451f9bf4d323c1cd18968f54a03352eff949a226758a21
                                                                                                          • Instruction Fuzzy Hash: B0E0EC74A01108EF8B44EFB4EA5689E77F9EB4520C71049A9D508E7B15EE31AF04ABA1
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Function 0502060E, Relevance: .0, Instructions: 15COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000011.00000002.326565951.0000000005020000.00000040.00000001.sdmp, Offset: 05020000, based on PE: false
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 254b6e4f21c75e151f9c2a7a6c21472fe897dba72fa6e2d9befdd3c53d5b5473
                                                                                                          • Instruction ID: 254e4fc3d8ddc9a355b7a27abdec1ae7a5a97eb36844d0258032d4624043eab0
                                                                                                          • Opcode Fuzzy Hash: 254b6e4f21c75e151f9c2a7a6c21472fe897dba72fa6e2d9befdd3c53d5b5473
                                                                                                          • Instruction Fuzzy Hash: 10D0C735B041109F8A04EF78E8544DDB361EF8527971106E5E625C72F1DB31D8158661
                                                                                                          Uniqueness

                                                                                                          Uniqueness Score: -1.00%

                                                                                                          Non-executed Functions