Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order Specification.exe

Overview

General Information

Sample Name:Order Specification.exe
Analysis ID:560231
MD5:0484c885885e6b4635cf330d72eaba9a
SHA1:86ed8ae352598ba36d7b58ceba43a81773ab0bb9
SHA256:762aa095e3249e971c9b8ed7b0bf6489648db9a61496112ff237d6120f3e092b
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for dropped file
Yara detected Nanocore RAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Installs a global keyboard hook
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Sigma detected: Suspicius Add Task From User AppData Temp
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Yara detected Credential Stealer
Contains functionality to call native functions
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Sigma detected: Suspicious Outbound SMTP Connections
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sigma detected: Autorun Keys Modification
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Order Specification.exe (PID: 4232 cmdline: "C:\Users\user\Desktop\Order Specification.exe" MD5: 0484C885885E6B4635CF330D72EABA9A)
    • powershell.exe (PID: 6828 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4404 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6948 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Order Specification.exe (PID: 4636 cmdline: C:\Users\user\Desktop\Order Specification.exe MD5: 0484C885885E6B4635CF330D72EABA9A)
      • host process.exe (PID: 7004 cmdline: "C:\Users\user\AppData\Local\Temp\host process.exe" 0 MD5: 042FA6CD64D8F55F1405D130E306E47A)
      • O.stub.exe (PID: 6424 cmdline: "C:\Users\user\AppData\Local\Temp\O.stub.exe" 0 MD5: 69709CD1D2019B22E72550ABE3AEF9D7)
  • dhcpmon.exe (PID: 2060 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 042FA6CD64D8F55F1405D130E306E47A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\O.stub.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Users\user\AppData\Local\Temp\host process.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    C:\Users\user\AppData\Local\Temp\host process.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    C:\Users\user\AppData\Local\Temp\host process.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      C:\Users\user\AppData\Local\Temp\host process.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      Click to see the 4 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000E.00000003.409359357.0000000003D41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xff8d:$x1: NanoCore.ClientPluginHost
        • 0xffca:$x2: IClientNetworkHost
        • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfcf5:$a: NanoCore
          • 0xfd05:$a: NanoCore
          • 0xff39:$a: NanoCore
          • 0xff4d:$a: NanoCore
          • 0xff8d:$a: NanoCore
          • 0xfd54:$b: ClientPlugin
          • 0xff56:$b: ClientPlugin
          • 0xff96:$b: ClientPlugin
          • 0xfe7b:$c: ProjectData
          • 0x10882:$d: DESCrypto
          • 0x1824e:$e: KeepAlive
          • 0x1623c:$g: LogClientMessage
          • 0x12437:$i: get_Connected
          • 0x10bb8:$j: #=q
          • 0x10be8:$j: #=q
          • 0x10c04:$j: #=q
          • 0x10c34:$j: #=q
          • 0x10c50:$j: #=q
          • 0x10c6c:$j: #=q
          • 0x10c9c:$j: #=q
          • 0x10cb8:$j: #=q
          00000011.00000002.557825125.0000000000FD2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 78 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.Order Specification.exe.378baef.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xe38d:$x1: NanoCore.ClientPluginHost
            • 0xe3ca:$x2: IClientNetworkHost
            • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            2.2.Order Specification.exe.378baef.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
            • 0xe105:$x1: NanoCore Client.exe
            • 0xe38d:$x2: NanoCore.ClientPluginHost
            • 0xf9c6:$s1: PluginCommand
            • 0xf9ba:$s2: FileCommand
            • 0x1086b:$s3: PipeExists
            • 0x16622:$s4: PipeCreated
            • 0xe3b7:$s5: IClientLoggingHost
            2.2.Order Specification.exe.378baef.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              2.2.Order Specification.exe.378baef.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0xe0f5:$a: NanoCore
              • 0xe105:$a: NanoCore
              • 0xe339:$a: NanoCore
              • 0xe34d:$a: NanoCore
              • 0xe38d:$a: NanoCore
              • 0xe154:$b: ClientPlugin
              • 0xe356:$b: ClientPlugin
              • 0xe396:$b: ClientPlugin
              • 0xe27b:$c: ProjectData
              • 0xec82:$d: DESCrypto
              • 0x1664e:$e: KeepAlive
              • 0x1463c:$g: LogClientMessage
              • 0x10837:$i: get_Connected
              • 0xefb8:$j: #=q
              • 0xefe8:$j: #=q
              • 0xf004:$j: #=q
              • 0xf034:$j: #=q
              • 0xf050:$j: #=q
              • 0xf06c:$j: #=q
              • 0xf09c:$j: #=q
              • 0xf0b8:$j: #=q
              23.2.dhcpmon.exe.38095ee.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
              • 0xe75:$x1: NanoCore.ClientPluginHost
              • 0x145e3:$x1: NanoCore.ClientPluginHost
              • 0x2d0af:$x1: NanoCore.ClientPluginHost
              • 0xe8f:$x2: IClientNetworkHost
              • 0x14610:$x2: IClientNetworkHost
              • 0x2d0dc:$x2: IClientNetworkHost
              Click to see the 173 entries

              Sigma Overview

              AV Detection

              barindex
              Sigma detected: NanoCore
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 7004, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              E-Banking Fraud

              barindex
              Sigma detected: NanoCore
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 7004, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              System Summary

              barindex
              Sigma detected: Suspicius Add Task From User AppData Temp
              Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Order Specification.exe" , ParentImage: C:\Users\user\Desktop\Order Specification.exe, ParentProcessId: 4232, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp, ProcessId: 6948
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order Specification.exe" , ParentImage: C:\Users\user\Desktop\Order Specification.exe, ParentProcessId: 4232, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe, ProcessId: 6828
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\O.stub.exe, Initiated: true, ProcessId: 6424, Protocol: tcp, SourceIp: 192.168.2.3, SourceIsIpv6: false, SourcePort: 49798
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 7004, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Monitor
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Order Specification.exe" , ParentImage: C:\Users\user\Desktop\Order Specification.exe, ParentProcessId: 4232, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe, ProcessId: 6828
              Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132876925237602286.6828.DefaultAppDomain.powershell

              Stealing of Sensitive Information

              barindex
              Sigma detected: NanoCore
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 7004, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Remote Access Functionality

              barindex
              Sigma detected: NanoCore
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\host process.exe, ProcessId: 7004, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for dropped file
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
              Source: C:\Users\user\AppData\Local\Temp\host process.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeAvira: detection malicious, Label: TR/Spy.Gen8
              Yara detected Nanocore RAT
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000E.00000003.409359357.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.401463421.0000000003DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
              Multi AV Scanner detection for dropped file
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 79%Perma Link
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeVirustotal: Detection: 60%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeMetadefender: Detection: 55%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeReversingLabs: Detection: 85%
              Source: C:\Users\user\AppData\Local\Temp\host process.exeVirustotal: Detection: 79%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\host process.exeReversingLabs: Detection: 100%
              Source: C:\Users\user\AppData\Roaming\hSoFri.exeReversingLabs: Detection: 16%
              Machine Learning detection for sample
              Source: Order Specification.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\host process.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\hSoFri.exeJoe Sandbox ML: detected
              Source: 16.0.host process.exe.90000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 14.2.Order Specification.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 23.2.dhcpmon.exe.100000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 14.0.Order Specification.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
              Source: 14.0.Order Specification.exe.400000.8.unpackAvira: Label: TR/Dropper.Gen
              Source: 2.2.Order Specification.exe.3789930.3.unpackAvira: Label: TR/Dropper.Gen
              Source: 16.2.host process.exe.90000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 16.0.host process.exe.90000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 16.2.host process.exe.4ff0000.8.unpackAvira: Label: TR/NanoCore.fadte
              Source: 16.0.host process.exe.90000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 2.2.Order Specification.exe.3dcec00.5.unpackAvira: Label: TR/Dropper.Gen
              Source: 14.0.Order Specification.exe.400000.12.unpackAvira: Label: TR/Dropper.Gen
              Source: 14.0.Order Specification.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
              Source: 23.0.dhcpmon.exe.100000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 16.0.host process.exe.90000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: Order Specification.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: C:\Users\user\AppData\Local\Temp\host process.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: Order Specification.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: host process.exe, 00000010.00000002.559630624.0000000002405000.00000004.00000020.00020000.00000000.sdmp

              Networking

              barindex
              Uses dynamic DNS services
              Source: unknownDNS query: name: timmy13.ddns.net
              Source: global trafficTCP traffic: 192.168.2.3:49750 -> 185.140.53.138:28289
              Source: global trafficTCP traffic: 192.168.2.3:49798 -> 77.88.21.158:587
              Source: global trafficTCP traffic: 192.168.2.3:49798 -> 77.88.21.158:587
              Source: O.stub.exe, 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://MSN1yB6AgP4w05v9.net
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: unknownDNS traffic detected: queries for: timmy13.ddns.net

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\O.stub.exe
              Source: host process.exe, 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

              E-Banking Fraud

              barindex
              Yara detected Nanocore RAT
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000E.00000003.409359357.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.401463421.0000000003DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.4ac0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.27617c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.dhcpmon.exe.27e3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: Order Specification.exe
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 2_2_00DFC1A42_2_00DFC1A4
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 2_2_00DFE5F02_2_00DFE5F0
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 2_2_00DFE5E32_2_00DFE5E3
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_0009524A16_2_0009524A
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_0488385016_2_04883850
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_0488893816_2_04888938
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_0488B20816_2_0488B208
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_04882FA816_2_04882FA8
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_048823A016_2_048823A0
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_0488306F16_2_0488306F
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_048895FF16_2_048895FF
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_0488953816_2_04889538
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BD20817_2_059BD208
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059B000717_2_059B0007
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BE8D817_2_059BE8D8
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BEC9B17_2_059BEC9B
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BDEBB17_2_059BDEBB
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BECA817_2_059BECA8
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BDA5317_2_059BDA53
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BE8CB17_2_059BE8CB
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BDE4A17_2_059BDE4A
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_059BD1FB17_2_059BD1FB
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_0666CA5817_2_0666CA58
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_0666007017_2_06660070
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_0666C85017_2_0666C850
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_06666CB717_2_06666CB7
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_06660F7B17_2_06660F7B
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_0666001617_2_06660016
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_0010524A23_2_0010524A
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_048F2FA823_2_048F2FA8
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_048F23A023_2_048F23A0
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_048F385023_2_048F3850
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_048F306F23_2_048F306F
              Source: Order Specification.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: hSoFri.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Order Specification.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.4ac0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.4ac0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.27617c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.27617c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 23.2.dhcpmon.exe.27e3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.2.dhcpmon.exe.27e3dc4.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B1AA6 NtQuerySystemInformation,16_2_049B1AA6
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B1A6B NtQuerySystemInformation,16_2_049B1A6B
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030BB362 NtQuerySystemInformation,17_2_030BB362
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030BB331 NtQuerySystemInformation,17_2_030BB331
              Source: Order Specification.exe, 00000002.00000002.394949704.00000000004B5000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCompareOptio.exeZ vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNWoSezIgxDRFKLdOBHOHkNrqCWNsHaDUjIalnEh.exe4 vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.409202104.0000000007530000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNWoSezIgxDRFKLdOBHOHkNrqCWNsHaDUjIalnEh.exe4 vs Order Specification.exe
              Source: Order Specification.exe, 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Order Specification.exe
              Source: Order Specification.exe, 0000000E.00000000.387851983.0000000001135000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCompareOptio.exeZ vs Order Specification.exe
              Source: Order Specification.exe, 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNWoSezIgxDRFKLdOBHOHkNrqCWNsHaDUjIalnEh.exe4 vs Order Specification.exe
              Source: Order Specification.exe, 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Order Specification.exe
              Source: Order Specification.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: hSoFri.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: host process.exe.14.drStatic PE information: Section: .rsrc ZLIB complexity 0.999575892857
              Source: Order Specification.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Order Specification.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
              Source: C:\Users\user\Desktop\Order Specification.exeFile created: C:\Users\user\AppData\Roaming\hSoFri.exeJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/15@15/3
              Source: C:\Users\user\Desktop\Order Specification.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\host process.exeFile created: C:\Program Files (x86)\DHCP Monitor
              Source: C:\Users\user\Desktop\Order Specification.exeFile read: C:\Users\user\Desktop\Order Specification.exe:Zone.IdentifierJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Order Specification.exe "C:\Users\user\Desktop\Order Specification.exe"
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\Desktop\Order Specification.exe C:\Users\user\Desktop\Order Specification.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\AppData\Local\Temp\host process.exe "C:\Users\user\AppData\Local\Temp\host process.exe" 0
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\AppData\Local\Temp\O.stub.exe "C:\Users\user\AppData\Local\Temp\O.stub.exe" 0
              Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exeJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exeJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmpJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\Desktop\Order Specification.exe C:\Users\user\Desktop\Order Specification.exeJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\AppData\Local\Temp\host process.exe "C:\Users\user\AppData\Local\Temp\host process.exe" 0
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\AppData\Local\Temp\O.stub.exe "C:\Users\user\AppData\Local\Temp\O.stub.exe" 0
              Source: C:\Users\user\Desktop\Order Specification.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B1866 AdjustTokenPrivileges,16_2_049B1866
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B182F AdjustTokenPrivileges,16_2_049B182F
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030BB1E6 AdjustTokenPrivileges,17_2_030BB1E6
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030BB1AF AdjustTokenPrivileges,17_2_030BB1AF
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Order Specification.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAB8A.tmpJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\host process.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\host process.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Local\Temp\host process.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Order Specification.exeMutant created: \Sessions\1\BaseNamedObjects\ykYhkkiXIsZBHvktpXG
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
              Source: C:\Users\user\AppData\Local\Temp\host process.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{964a90aa-b121-4650-948b-3135f4e12fbc}
              Source: host process.exe.14.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
              Source: host process.exe.14.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
              Source: host process.exe.14.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\Order Specification.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Order Specification.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\AppData\Local\Temp\host process.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: Order Specification.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Order Specification.exeStatic file information: File size 1590272 > 1048576
              Source: Order Specification.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x119e00
              Source: Order Specification.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: host process.exe, 00000010.00000002.559630624.0000000002405000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: Order Specification.exe, iiInfinityEngine.Application/Form1.cs.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: hSoFri.exe.2.dr, iiInfinityEngine.Application/Form1.cs.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.Order Specification.exe.330000.0.unpack, iiInfinityEngine.Application/Form1.cs.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.Order Specification.exe.330000.0.unpack, iiInfinityEngine.Application/Form1.cs.Net Code: Major System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: host process.exe.14.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: host process.exe.14.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 2_2_00334609 push es; retf 0005h2_2_00334AD1
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 2_2_00334AD4 push es; retf 0005h2_2_00334AD1
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 2_2_00334AD4 push es; retf 2_2_00334B02
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 14_2_00FB4AD4 push es; retf 0005h14_2_00FB4AD1
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 14_2_00FB4AD4 push es; retf 14_2_00FB4B02
              Source: C:\Users\user\Desktop\Order Specification.exeCode function: 14_2_00FB4609 push es; retf 0005h14_2_00FB4AD1
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772875 push edi; ret 16_2_00772882
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772DF1 push edi; ret 16_2_00772DF2
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772DFD push edi; ret 16_2_00772DFE
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_007728E1 push edi; ret 16_2_007728E2
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772F60 push eax; ret 16_2_00772F66
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772D6C push ecx; ret 16_2_00772D6E
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772D91 push eax; ret 16_2_00772D92
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_00772D84 push ecx; ret 16_2_00772D86
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_0077288D push edi; ret 16_2_0077288E
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FD5888 push ds; retf 17_2_00FD588C
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FD8086 push cs; retf 17_2_00FD8087
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FDA431 pushfd ; iretd 17_2_00FDA439
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FD9FC6 push 00000041h; retf 17_2_00FD9FD7
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FD9D8C push es; iretd 17_2_00FD9D8D
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FD8B6D push edi; iretd 17_2_00FD8B72
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FD8766 push ds; retf 17_2_00FD8768
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_00FDA74E push edi; retf 17_2_00FDA768
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B3331 push edi; ret 17_2_030B3332
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B2768 push edi; ret 17_2_030B277A
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B2FD0 push eax; ret 17_2_030B2FD2
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B2FE8 push eax; ret 17_2_030B2FF6
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B2DE4 push edi; ret 17_2_030B2DF2
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B303C push ecx; ret 17_2_030B303E
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B3048 push ecx; ret 17_2_030B304A
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_030B324D push edi; ret 17_2_030B324E
              Source: initial sampleStatic PE information: section name: .text entropy: 7.72216008471
              Source: initial sampleStatic PE information: section name: .text entropy: 7.72216008471
              Source: host process.exe.14.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
              Source: host process.exe.14.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
              Source: C:\Users\user\Desktop\Order Specification.exeFile created: C:\Users\user\AppData\Local\Temp\O.stub.exeJump to dropped file
              Source: C:\Users\user\Desktop\Order Specification.exeFile created: C:\Users\user\AppData\Roaming\hSoFri.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\host process.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
              Source: C:\Users\user\Desktop\Order Specification.exeFile created: C:\Users\user\AppData\Local\Temp\host process.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Users\user\AppData\Local\Temp\host process.exeFile opened: C:\Users\user\AppData\Local\Temp\host process.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: 2.2.Order Specification.exe.27cdad4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFunction Chain: threadDelayed,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,processSet,processSet,threadDelayed,threadDelayed,threadDelayed,memAlloc,memAlloc,memAlloc,memAlloc
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\Order Specification.exe TID: 6656Thread sleep time: -39709s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exe TID: 4716Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6328Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2228Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6816Thread sleep count: 7303 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 400Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6960Thread sleep count: 1209 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\host process.exe TID: 6612Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exe TID: 6056Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exe TID: 6056Thread sleep count: 230 > 30
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exe TID: 6056Thread sleep time: -6900000s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exe TID: 6056Thread sleep time: -60000s >= -30000s
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5180Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\host process.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Order Specification.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\host process.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4285Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 631Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7303Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1209Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\host process.exeWindow / User API: foregroundWindowGot 495
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Order Specification.exeThread delayed: delay time: 39709Jump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\host process.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeThread delayed: delay time: 30000
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeThread delayed: delay time: 30000
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: Order Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: C:\Users\user\Desktop\Order Specification.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B158E GetSystemInfo,16_2_049B158E
              Source: C:\Users\user\Desktop\Order Specification.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\host process.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeCode function: 17_2_0666E108 LdrInitializeThunk,17_2_0666E108
              Source: C:\Users\user\Desktop\Order Specification.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exe
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exeJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exeJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exeJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exeJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmpJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\Desktop\Order Specification.exe C:\Users\user\Desktop\Order Specification.exeJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\AppData\Local\Temp\host process.exe "C:\Users\user\AppData\Local\Temp\host process.exe" 0
              Source: C:\Users\user\Desktop\Order Specification.exeProcess created: C:\Users\user\AppData\Local\Temp\O.stub.exe "C:\Users\user\AppData\Local\Temp\O.stub.exe" 0
              Source: host process.exe, 00000010.00000002.559742807.00000000027DF000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 00000010.00000002.560071441.00000000029DC000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 00000010.00000002.559889527.00000000028B7000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 00000010.00000002.559876304.00000000028B3000.00000004.00000800.00020000.00000000.sdmp, host process.exe, 00000010.00000002.559812533.0000000002847000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Users\user\Desktop\Order Specification.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Order Specification.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\Order Specification.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.14.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.435c11.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.14.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.O.stub.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.435c11.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.557825125.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.409221651.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.407162956.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.408484017.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.408885887.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: O.stub.exe PID: 6424, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\O.stub.exe, type: DROPPED
              Yara detected Nanocore RAT
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000E.00000003.409359357.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.401463421.0000000003DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Source: C:\Users\user\AppData\Local\Temp\O.stub.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Source: Yara matchFile source: 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: O.stub.exe PID: 6424, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected AgentTesla
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.14.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.435c11.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.435c11.14.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.2.O.stub.exe.fd0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 17.0.O.stub.exe.fd0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.435c11.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000011.00000002.557825125.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.409221651.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.407162956.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.408484017.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000000.408885887.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: O.stub.exe PID: 6424, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\O.stub.exe, type: DROPPED
              Detected Nanocore Rat
              Source: Order Specification.exe, 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: Order Specification.exe, 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: Order Specification.exe, 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exeString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exe, 00000010.00000002.559647777.0000000002751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exe, 00000010.00000002.559647777.0000000002751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: host process.exe, 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exe, 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exe, 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exe, 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: host process.exe, 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: host process.exe, 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
              Source: dhcpmon.exe, 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: dhcpmon.exe, 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: dhcpmon.exe, 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Source: dhcpmon.exe, 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: dhcpmon.exe, 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Yara detected Nanocore RAT
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.38095ee.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.2.Order Specification.exe.4031bf.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.3812a4d.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37995ee.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.dhcpmon.exe.380e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.378baef.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dcec00.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.379e424.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.0.dhcpmon.exe.100000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.37a2a4d.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.0.host process.exe.90000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff4629.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 14.0.Order Specification.exe.4031bf.13.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 16.2.host process.exe.4ff0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3dd0dbf.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3789930.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.37be541.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Order Specification.exe.3a76590.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000E.00000003.409359357.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.401463421.0000000003DA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4232, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Order Specification.exe PID: 4636, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: host process.exe PID: 7004, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2060, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\host process.exe, type: DROPPED
              Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B2AB2 bind,16_2_049B2AB2
              Source: C:\Users\user\AppData\Local\Temp\host process.exeCode function: 16_2_049B2A60 bind,16_2_049B2A60

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts211
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		1
              Access Token Manipulation              		21
              Disable or Modify Tools              		2
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services11
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Native API              		Boot or Logon Initialization Scripts12
              Process Injection              		1
              Deobfuscate/Decode Files or Information              		111
              Input Capture              		115
              System Information Discovery              		Remote Desktop Protocol2
              Data from Local System              		Exfiltration Over Bluetooth1
              Non-Standard Port              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts1
              Scheduled Task/Job              		Logon Script (Windows)1
              Scheduled Task/Job              		2
              Obfuscated Files or Information              		1
              Credentials in Registry              		311
              Security Software Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated Exfiltration1
              Remote Access Software              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)14
              Software Packing              		NTDS2
              Process Discovery              		Distributed Component Object Model111
              Input Capture              		Scheduled Transfer1
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
              Masquerading              		LSA Secrets131
              Virtualization/Sandbox Evasion              		SSHKeyloggingData Transfer Size Limits111
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common131
              Virtualization/Sandbox Evasion              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job12
              Process Injection              		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
              Hidden Files and Directories              		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 560231 Sample: Order Specification.exe Startdate: 26/01/2022 Architecture: WINDOWS Score: 100 55 timmy13.ddns.net 2->55 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for dropped file 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 15 other signatures 2->71 8 Order Specification.exe 7 2->8         started        12 dhcpmon.exe 2->12         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\hSoFri.exe, PE32 8->37 dropped 39 C:\Users\user\...\hSoFri.exe:Zone.Identifier, ASCII 8->39 dropped 41 C:\Users\user\AppData\Local\...\tmpAB8A.tmp, XML 8->41 dropped 43 C:\Users\user\...\Order Specification.exe.log, ASCII 8->43 dropped 73 Adds a directory exclusion to Windows Defender 8->73 14 Order Specification.exe 8->14         started        18 powershell.exe 24 8->18         started        20 powershell.exe 25 8->20         started        22 schtasks.exe 8->22         started        45 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 12->45 dropped signatures6 process7 dnsIp8 63 192.168.2.1 unknown unknown 14->63 51 C:\Users\user\AppData\...\host process.exe, PE32 14->51 dropped 53 C:\Users\user\AppData\Local\Temp\O.stub.exe, PE32 14->53 dropped 24 O.stub.exe 14->24         started        28 host process.exe 14->28         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        file9 process10 dnsIp11 57 smtp.yandex.ru 77.88.21.158, 49798, 587 YANDEXRU Russian Federation 24->57 59 smtp.yandex.com 24->59 75 Antivirus detection for dropped file 24->75 77 Multi AV Scanner detection for dropped file 24->77 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->79 83 8 other signatures 24->83 61 timmy13.ddns.net 185.140.53.138, 28289, 49750, 49753 DAVID_CRAIGGG Sweden 28->61 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 28->47 dropped 49 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 28->49 dropped 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->81 file12 signatures13

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Order Specification.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
              C:\Users\user\AppData\Local\Temp\host process.exe100%AviraTR/Dropper.MSIL.Gen7
              C:\Users\user\AppData\Local\Temp\O.stub.exe100%AviraTR/Spy.Gen8
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\host process.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\O.stub.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\hSoFri.exe100%Joe Sandbox ML
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe79%VirustotalBrowse
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
              C:\Users\user\AppData\Local\Temp\O.stub.exe61%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\O.stub.exe56%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\O.stub.exe86%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
              C:\Users\user\AppData\Local\Temp\host process.exe79%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\host process.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
              C:\Users\user\AppData\Roaming\hSoFri.exe16%ReversingLabsWin32.Trojan.Woreflint

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              16.0.host process.exe.90000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              14.2.Order Specification.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
              23.2.dhcpmon.exe.100000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              14.0.Order Specification.exe.400000.6.unpack100%AviraTR/Dropper.GenDownload File
              14.0.Order Specification.exe.400000.8.unpack100%AviraTR/Dropper.GenDownload File
              2.2.Order Specification.exe.3789930.3.unpack100%AviraTR/Dropper.GenDownload File
              16.2.host process.exe.90000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              17.0.O.stub.exe.fd0000.3.unpack100%AviraHEUR/AGEN.1138205Download File
              17.0.O.stub.exe.fd0000.0.unpack100%AviraHEUR/AGEN.1138205Download File
              16.0.host process.exe.90000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              16.2.host process.exe.4ff0000.8.unpack100%AviraTR/NanoCore.fadteDownload File
              16.0.host process.exe.90000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              17.0.O.stub.exe.fd0000.1.unpack100%AviraHEUR/AGEN.1138205Download File
              2.2.Order Specification.exe.3dcec00.5.unpack100%AviraTR/Dropper.GenDownload File
              14.0.Order Specification.exe.400000.12.unpack100%AviraTR/Dropper.GenDownload File
              14.0.Order Specification.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
              23.0.dhcpmon.exe.100000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              16.0.host process.exe.90000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              17.2.O.stub.exe.fd0000.0.unpack100%AviraHEUR/AGEN.1138205Download File
              17.0.O.stub.exe.fd0000.2.unpack100%AviraHEUR/AGEN.1138205Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://MSN1yB6AgP4w05v9.net0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              timmy13.ddns.net
              		185.140.53.138
              		truefalse
                		high
                smtp.yandex.ru
                		77.88.21.158
                		truefalse
                  		high
                  smtp.yandex.com
                  		unknown
                  		unknownfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.tiro.comOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.krOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8Order Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fonts.comOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOrder Specification.exe, 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sakkal.comOrder Specification.exe, 00000002.00000002.408676363.0000000006922000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://MSN1yB6AgP4w05v9.netO.stub.exe, 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          77.88.21.158
                                          		smtp.yandex.ruRussian Federation
                                          		13238YANDEXRUfalse
                                          185.140.53.138
                                          		timmy13.ddns.netSweden
                                          		209623DAVID_CRAIGGGfalse

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:560231
                                          Start date:26.01.2022
                                          Start time:09:40:28
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 14m 25s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:Order Specification.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:30
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@17/15@15/3
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:
                                          • Successful, ratio: 4.8% (good quality ratio 2.8%)
                                          • Quality average: 29.8%
                                          • Quality standard deviation: 28.8%
                                          HCA Information:
                                          • Successful, ratio: 97%
                                          • Number of executed functions: 434
                                          • Number of non-executed functions: 4
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          09:41:47API Interceptor2x Sleep call for process: Order Specification.exe modified
                                          09:42:06API Interceptor78x Sleep call for process: powershell.exe modified
                                          09:42:22API Interceptor489x Sleep call for process: host process.exe modified
                                          09:42:27AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          09:42:37API Interceptor373x Sleep call for process: O.stub.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\host process.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):207360
                                          Entropy (8bit):7.448972782235035
                                          Encrypted:false
                                          SSDEEP:3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIXquGTziui+IOIB3089u1L5WUb:gLV6Bta6dtJmakIM5jNilOIW8uxb
                                          MD5:042FA6CD64D8F55F1405D130E306E47A
                                          SHA1:C7D7DE4600FEB4953D05674F862D992B03E7F44B
                                          SHA-256:5932288E5C5EF8EDA3E5B63D7E0734123E533FEDCF861A72822004C549606F52
                                          SHA-512:E5ADD4BB755E59A9244605352612125B026CFAE84118F315594D960359A4795F973A5D9D5B4769FA0A57B607EE075367BA11D209CC6985E931EDDAF531343283
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Virustotal, Detection: 79%, Browse
                                          • Antivirus: ReversingLabs, Detection: 100%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

                                          Download File
                                          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):0
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                          MD5:61CCF53571C9ABA6511D696CB0D32E45
                                          SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                          SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                          SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                          Malicious:true
                                          Reputation:unknown
                                          Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Specification.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\Order Specification.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:unknown
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):22320
                                          Entropy (8bit):5.602295366370523
                                          Encrypted:false
                                          SSDEEP:384:utCD59q0H9h5jM7kXRngSBKn4jultIi3zY9gFSJ3x6T1MaPZlbAV7VWwm5ZBDI+S:fqk5g4K4Clt9LFcACOfwIVQ
                                          MD5:56D65B81BCA3D13EF462EE79DDD45A01
                                          SHA1:B2028A764FFE8032980B30AAF47693DDAFA0E18A
                                          SHA-256:61D13A9F1A04202A2E8F9A24DFD2E5E7F65E45E7F5D2D8BD62CB591FD61700D8
                                          SHA-512:8342A4FA8C24A3DA6A7F08D2C92340AEB83174663C74EEE2BFFD1F4C51C92398FF79CA9580597531BBBA110CF3C13266EC3956185B01945A676D66019A8E7F84
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:@...e...................e.............c...F..........@..........H...............<@.^.L."My...:U..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                          C:\Users\user\AppData\Local\Temp\O.stub.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\Order Specification.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):283136
                                          Entropy (8bit):6.583518106694022
                                          Encrypted:false
                                          SSDEEP:3072:48lUfsVrpgVIRckQkPIQBoczsDnW+xtUpYslLR8o5s9ODfa8CKeZp/YUNRnoFd18:48lZgPlhKYc2K+p/YUk1wP6D
                                          MD5:69709CD1D2019B22E72550ABE3AEF9D7
                                          SHA1:D82D111D5ECB7E2D4DA56C40E9B6EFB409C90243
                                          SHA-256:B1C71A6054350653138D7C6D9E501DC09E79BCDFD5FECD4F29461B7CA7DA23A4
                                          SHA-512:5268D185A569FC35CE5761B47713A9D94018A9EA7C9C42EE5942A13722C8D460C3D7760996F21604AA188C24C17EA64DF516D261A73E2BCE5FD75FCBABF83861
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\O.stub.exe, Author: Joe Security
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Virustotal, Detection: 61%, Browse
                                          • Antivirus: Metadefender, Detection: 56%, Browse
                                          • Antivirus: ReversingLabs, Detection: 86%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ul.^.................J...........i... ........@.. ....................................@..................................i..W....... ............................................................................ ............... ..H............text....I... ...J.................. ..`.rsrc... ............L..............@..@.reloc...............P..............@..B.................i......H..................L............................................................q;.SfQ.k..g.2&.0..W.a..JaAN'nG.2N.. .....e..@N.J......@...DG9.....j...GSENaO.p..u..2.. q4......7...U...]..].h7C2..H.{4.o0:.W.c...C.II*.3Mr........W.&F~5...J.r6IG{X..X.d..P..F...0........8GCU.}.r`...._.a.N..0vDjVG..6.9.3.\. ....8....5_X....`.B;.N....N....S_p..em,Rc.9.4_*5..p..kOPulz-.~..@........v.#K...c......p&X..K..> rH.Ra...$l.j4.n.."J.S.:..p6.)w...k.@".c..6..G...Ok.w...4....

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kvlulay.32q.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:very short file (no magic)
                                          Category:dropped
                                          Size (bytes):1
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3:U:U
                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:1

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blubydqo.5ld.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:very short file (no magic)
                                          Category:dropped
                                          Size (bytes):1
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3:U:U
                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:1

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e1rs4zxr.1pe.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:very short file (no magic)
                                          Category:dropped
                                          Size (bytes):1
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3:U:U
                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:1

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4ak4e4o.yw3.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:very short file (no magic)
                                          Category:dropped
                                          Size (bytes):1
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3:U:U
                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:1

                                          C:\Users\user\AppData\Local\Temp\host process.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\Order Specification.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):207360
                                          Entropy (8bit):7.448972782235035
                                          Encrypted:false
                                          SSDEEP:3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIXquGTziui+IOIB3089u1L5WUb:gLV6Bta6dtJmakIM5jNilOIW8uxb
                                          MD5:042FA6CD64D8F55F1405D130E306E47A
                                          SHA1:C7D7DE4600FEB4953D05674F862D992B03E7F44B
                                          SHA-256:5932288E5C5EF8EDA3E5B63D7E0734123E533FEDCF861A72822004C549606F52
                                          SHA-512:E5ADD4BB755E59A9244605352612125B026CFAE84118F315594D960359A4795F973A5D9D5B4769FA0A57B607EE075367BA11D209CC6985E931EDDAF531343283
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Virustotal, Detection: 79%, Browse
                                          • Antivirus: ReversingLabs, Detection: 100%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                          C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\Order Specification.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1593
                                          Entropy (8bit):5.141768339977495
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtKsxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTvv
                                          MD5:037A61002A275FED53876DF0D9F642CC
                                          SHA1:108031CCE5F1F70B78C79DED404B7289F1050EFA
                                          SHA-256:54F25AE17434ED38BEE93878B8325F59A3668869BBFC788583A059F72F6C7D6E
                                          SHA-512:BA880318798540C1603B54CB6A8C9FF3FE30975E571E84A2F9442CA325699CD1B80439F496C750F25DCF164008F94A8B43C1E6F19230FB2573FEB42D78899133
                                          Malicious:true
                                          Reputation:unknown
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\host process.exe
                                          File Type:ISO-8859 text, with no line terminators
                                          Category:dropped
                                          Size (bytes):8
                                          Entropy (8bit):3.0
                                          Encrypted:false
                                          SSDEEP:3:K/t:K/t
                                          MD5:7B01808876B71D5563C569BDB68ECBF0
                                          SHA1:91EBD369B216066E48E6CCD9C36A28CB7BBF5E24
                                          SHA-256:C0A3A593E0BF36CB3F38F7304189314A47335BC416E970307DEF03F341DE850B
                                          SHA-512:4FAE226A384554086A08DA7EDAD73FECBBCA07F8EB1B909EE94BD3F1C8142631460DA31B76195F650ABF20411AEA830E8F36A0E1F9A2107F3FA89F9EEFF679FA
                                          Malicious:true
                                          Reputation:unknown
                                          Preview:@..4...H

                                          C:\Users\user\AppData\Roaming\hSoFri.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\Order Specification.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):1590272
                                          Entropy (8bit):6.940071765645881
                                          Encrypted:false
                                          SSDEEP:24576:M0KeYYX4u9x1MbMMwqG2whjg5SithktIhbeArHmNH/GsEp:M83x1MIpZ2wWSgb5rHmNf5
                                          MD5:0484C885885E6B4635CF330D72EABA9A
                                          SHA1:86ED8AE352598BA36D7B58CEBA43A81773AB0BB9
                                          SHA-256:762AA095E3249E971C9B8ED7B0BF6489648DB9A61496112FF237D6120F3E092B
                                          SHA-512:E3BFC22DDB3D4448AD0455E3B8541BB2AEC65D488AB5D9A97A5F3E9C8CB661495BFD94AFB91192092BCC14921C5A20F3B458E1A62B3211A554E5D38F34D10BF2
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 16%
                                          Reputation:unknown
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0.................. ........@.. ....................................@.....................................O................................................................................... ............... ..H............text...P.... ...................... ..`.rsrc..............................@..@.reloc...............B..............@..B.......................H.......<...\............... &...........................................0..G........r...p.......,..r...ps....z...(....(...........r...p.o....(....s....z.*..........-.......0..o........s......s......~..........(.........o.........,..(.......o ......*...rW..p..o....(....(!..........,..o".......*..(.......-..........4B..........Za.......0..o........s#........o$....s%......+......J...r...p(&...o'...&...X....i......-..o(.......&.r...p(!..........,..o".......*.........GO..........

                                          C:\Users\user\AppData\Roaming\hSoFri.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\Order Specification.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Reputation:unknown
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          C:\Users\user\Documents\20220126\PowerShell_transcript.468325.8p2M1yq6.20220126094207.txt

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):5773
                                          Entropy (8bit):5.391356208223318
                                          Encrypted:false
                                          SSDEEP:96:BZGh0NDqDo1ZJZoh0NDqDo1ZQUycjZvh0NDqDo1ZrRMMZZq:L
                                          MD5:4A3328A227A57BB90B22780BCF60740B
                                          SHA1:1176B172DE936EA36D1D263FB1E175E6E4EB87E4
                                          SHA-256:50DAF7185A8E0BE02C81755127A9FEA05F8275699E86E4828D1AB61FB8F0F61B
                                          SHA-512:B966D850C4668C140817E2561F5F00526D7A39ED522F68B8C3098AE5EBFE8D54E262F8E227362DE047DDA455A54CAEC315A43B3E223C847C2895B52391956918
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220126094208..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 468325 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\hSoFri.exe..Process ID: 4404..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220126094208..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\hSoFri.exe..**********************..Windows PowerShell transcript start..Start time: 20220126094606..Username: computer\user..RunAs User: computer\user..Confi

                                          C:\Users\user\Documents\20220126\PowerShell_transcript.468325.QpGQnXV1.20220126094205.txt

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3558
                                          Entropy (8bit):5.307359393941608
                                          Encrypted:false
                                          SSDEEP:96:BZwPh0NhqDo1ZSVgZdh0NhqDo1ZKqk10c10c10QZy:jRR0
                                          MD5:BE2FEB404409EB32D98953C5985A64D5
                                          SHA1:9A4DEC1A870A0F41E2E1B72E12A641128754D3F4
                                          SHA-256:AC2279268C7FDD3DA9C77C9D09C0CDF76F3381B97CC47F897A4EADA64AE85C97
                                          SHA-512:6BB027514F72D59AAD6E7F0C4451F2760EA9A5E1B352E57D41EF2F0333789117F25432B84273E7BE4BA740FE2C699EEF5BC3416D3A38991FB5D59ED134DCA376
                                          Malicious:false
                                          Reputation:unknown
                                          Preview:.**********************..Windows PowerShell transcript start..Start time: 20220126094206..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 468325 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Order Specification.exe..Process ID: 6828..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220126094206..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Order Specification.exe..**********************..Command start time: 20220126094525..**********************..PS>TerminatingError(Add-MpPreference): "A positional parameter canno

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.940071765645881
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:Order Specification.exe
                                          File size:1590272
                                          MD5:0484c885885e6b4635cf330d72eaba9a
                                          SHA1:86ed8ae352598ba36d7b58ceba43a81773ab0bb9
                                          SHA256:762aa095e3249e971c9b8ed7b0bf6489648db9a61496112ff237d6120f3e092b
                                          SHA512:e3bfc22ddb3d4448ad0455e3b8541bb2aec65d488ab5d9a97a5f3e9c8cb661495bfd94afb91192092bcc14921c5a20f3b458e1a62b3211a554e5d38f34d10bf2
                                          SSDEEP:24576:M0KeYYX4u9x1MbMMwqG2whjg5SithktIhbeArHmNH/GsEp:M83x1MIpZ2wWSgb5rHmNf5
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0.................. ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:4d306d4d4d574025

                                          Static PE Info

                                          General

                                          Entrypoint:0x51bc0a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x61F0A2FE [Wed Jan 26 01:25:18 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          mov byte ptr [eax-2C754571h], ch
                                          mov ecx, CFB1EDF5h
                                          jmp far 82EBh : FBB5E4AAh
                                          stc
                                          nop
                                          retf B5C9h
                                          out DCh, eax
                                          mov seg?, word ptr [edi-1F081154h]
                                          retf EA8Eh
                                          retf CE80h
                                          lds ebp, fword ptr [ebp-7B2F3B49h]
                                          xchg eax, ebx
                                          aad F0h
                                          jmp 00007FDF6CD032FAh
                                          mov ah, 9Dh
                                          int3
                                          scasd
                                          movsd
                                          xchg eax, ebp
                                          mov edx, 9DD28799h
                                          jecxz 00007FDF6CD032C3h
                                          mov edx, 0000CA90h
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x11bbb80x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x11c0000x6a0d0.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1880000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x119c500x119e00False0.788106291574data7.72216008471IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x11c0000x6a0d00x6a200False0.0926779667256data2.61241368122IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x1880000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x11c2e00x468GLS_BINARY_LSB_FIRST
                                          RT_ICON0x11c7480x988data
                                          RT_ICON0x11d0d00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294440951, next used block 4294440951
                                          RT_ICON0x11e1780x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294440951, next used block 4294440951
                                          RT_ICON0x1207200x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294440951, next used block 4294440951
                                          RT_ICON0x1249480x5488data
                                          RT_ICON0x129dd00x94a8data
                                          RT_ICON0x1332780x10828data
                                          RT_ICON0x143aa00x42028data
                                          RT_GROUP_ICON0x185ac80x84data
                                          RT_GROUP_ICON0x185b4c0x14data
                                          RT_VERSION0x185b600x384data
                                          RT_MANIFEST0x185ee40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2012
                                          Assembly Version1.5.0.0
                                          InternalNameCompareOptio.exe
                                          FileVersion22.0.3.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameiiInfinityEngine Application
                                          ProductVersion22.0.3.0
                                          FileDescriptioniiInfinityEngine Application
                                          OriginalFilenameCompareOptio.exe

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          01/26/22-09:42:25.202538UDP254DNS SPOOF query response with TTL of 1 min. and no authority53607848.8.8.8192.168.2.3
                                          01/26/22-09:42:31.066171UDP254DNS SPOOF query response with TTL of 1 min. and no authority53511438.8.8.8192.168.2.3
                                          01/26/22-09:42:49.473655UDP254DNS SPOOF query response with TTL of 1 min. and no authority53608238.8.8.8192.168.2.3
                                          01/26/22-09:42:55.066247UDP254DNS SPOOF query response with TTL of 1 min. and no authority53536158.8.8.8192.168.2.3
                                          01/26/22-09:43:00.728056UDP254DNS SPOOF query response with TTL of 1 min. and no authority53507288.8.8.8192.168.2.3
                                          01/26/22-09:43:18.172469UDP254DNS SPOOF query response with TTL of 1 min. and no authority53567738.8.8.8192.168.2.3
                                          01/26/22-09:43:34.057225UDP254DNS SPOOF query response with TTL of 1 min. and no authority53643678.8.8.8192.168.2.3

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 26, 2022 09:42:25.413542986 CET4975028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:25.437572002 CET2828949750185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:25.995548964 CET4975028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:26.019963026 CET2828949750185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:26.683099031 CET4975028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:26.707214117 CET2828949750185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:31.070813894 CET4975328289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:31.095087051 CET2828949753185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:31.636681080 CET4975328289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:31.661022902 CET2828949753185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:32.324274063 CET4975328289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:32.348824024 CET2828949753185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:37.165430069 CET4975428289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:37.189677954 CET2828949754185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:37.699693918 CET4975428289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:37.724140882 CET2828949754185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:38.233750105 CET4975428289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:38.264256001 CET2828949754185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:44.025048971 CET4976028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:44.050307035 CET2828949760185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:44.684680939 CET4976028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:44.709080935 CET2828949760185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:45.294202089 CET4976028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:45.318766117 CET2828949760185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:49.475091934 CET4976128289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:49.499051094 CET2828949761185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:50.200834036 CET4976128289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:50.224621058 CET2828949761185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:50.794548988 CET4976128289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:50.818496943 CET2828949761185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:55.067900896 CET4978428289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:55.093947887 CET2828949784185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:55.748058081 CET4978428289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:55.773073912 CET2828949784185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:42:56.435626984 CET4978428289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:42:56.459872007 CET2828949784185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:00.730895996 CET4979528289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:00.760390997 CET2828949795185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:01.436028957 CET4979528289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:01.459940910 CET2828949795185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:02.045429945 CET4979528289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:02.070069075 CET2828949795185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:03.448259115 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:03.510001898 CET5874979877.88.21.158192.168.2.3
                                          Jan 26, 2022 09:43:03.512106895 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:03.766495943 CET5874979877.88.21.158192.168.2.3
                                          Jan 26, 2022 09:43:03.766866922 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:03.828352928 CET5874979877.88.21.158192.168.2.3
                                          Jan 26, 2022 09:43:03.828377008 CET5874979877.88.21.158192.168.2.3
                                          Jan 26, 2022 09:43:03.829010963 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:03.858525038 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:03.891742945 CET5874979877.88.21.158192.168.2.3
                                          Jan 26, 2022 09:43:03.892321110 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:03.920800924 CET5874979877.88.21.158192.168.2.3
                                          Jan 26, 2022 09:43:03.920892954 CET49798587192.168.2.377.88.21.158
                                          Jan 26, 2022 09:43:06.444497108 CET4979928289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:06.470789909 CET2828949799185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:07.045845985 CET4979928289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:07.070511103 CET2828949799185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:07.749552965 CET4979928289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:07.773572922 CET2828949799185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:11.848099947 CET4980028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:11.872548103 CET2828949800185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:12.374260902 CET4980028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:12.399605036 CET2828949800185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:12.905803919 CET4980028289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:12.930325031 CET2828949800185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:18.255517006 CET4980128289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:18.279756069 CET2828949801185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:18.859469891 CET4980128289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:18.883594990 CET2828949801185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:19.546945095 CET4980128289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:19.571166992 CET2828949801185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:23.764676094 CET4981228289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:23.788708925 CET2828949812185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:24.297321081 CET4981228289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:24.321443081 CET2828949812185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:24.828886032 CET4981228289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:24.853584051 CET2828949812185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:28.929555893 CET4982528289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:28.954113960 CET2828949825185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:29.470803022 CET4982528289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:29.495146990 CET2828949825185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:30.006247997 CET4982528289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:30.031552076 CET2828949825185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:34.060241938 CET4982628289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:34.097584009 CET2828949826185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:34.611599922 CET4982628289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:34.639548063 CET2828949826185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:35.142877102 CET4982628289192.168.2.3185.140.53.138
                                          Jan 26, 2022 09:43:35.167876959 CET2828949826185.140.53.138192.168.2.3
                                          Jan 26, 2022 09:43:39.323319912 CET4982728289192.168.2.3185.140.53.138

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 26, 2022 09:42:25.182646990 CET6078453192.168.2.38.8.8.8
                                          Jan 26, 2022 09:42:25.202538013 CET53607848.8.8.8192.168.2.3
                                          Jan 26, 2022 09:42:31.044960976 CET5114353192.168.2.38.8.8.8
                                          Jan 26, 2022 09:42:31.066170931 CET53511438.8.8.8192.168.2.3
                                          Jan 26, 2022 09:42:37.120547056 CET5902653192.168.2.38.8.8.8
                                          Jan 26, 2022 09:42:37.140003920 CET53590268.8.8.8192.168.2.3
                                          Jan 26, 2022 09:42:44.004282951 CET4957253192.168.2.38.8.8.8
                                          Jan 26, 2022 09:42:44.023794889 CET53495728.8.8.8192.168.2.3
                                          Jan 26, 2022 09:42:49.449872017 CET6082353192.168.2.38.8.8.8
                                          Jan 26, 2022 09:42:49.473654985 CET53608238.8.8.8192.168.2.3
                                          Jan 26, 2022 09:42:55.044657946 CET5361553192.168.2.38.8.8.8
                                          Jan 26, 2022 09:42:55.066246986 CET53536158.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:00.704776049 CET5072853192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:00.728055954 CET53507288.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:03.380341053 CET5377753192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:03.403417110 CET53537778.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:06.362476110 CET5710653192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:06.382766008 CET53571068.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:11.825968981 CET6035253192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:11.846683979 CET53603528.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:18.151487112 CET5677353192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:18.172468901 CET53567738.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:23.688218117 CET6098253192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:23.708151102 CET53609828.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:28.907742977 CET5805853192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:28.928096056 CET53580588.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:34.035686016 CET6436753192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:34.057224989 CET53643678.8.8.8192.168.2.3
                                          Jan 26, 2022 09:43:39.300755024 CET5153953192.168.2.38.8.8.8
                                          Jan 26, 2022 09:43:39.320759058 CET53515398.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Jan 26, 2022 09:42:25.182646990 CET192.168.2.38.8.8.80x1944Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:31.044960976 CET192.168.2.38.8.8.80x99adStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:37.120547056 CET192.168.2.38.8.8.80x4c6fStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:44.004282951 CET192.168.2.38.8.8.80x29e8Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:49.449872017 CET192.168.2.38.8.8.80x8e4bStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:55.044657946 CET192.168.2.38.8.8.80xf198Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:00.704776049 CET192.168.2.38.8.8.80xd685Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:03.380341053 CET192.168.2.38.8.8.80x7ff7Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:06.362476110 CET192.168.2.38.8.8.80x5eecStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:11.825968981 CET192.168.2.38.8.8.80xf564Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:18.151487112 CET192.168.2.38.8.8.80xf7f1Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:23.688218117 CET192.168.2.38.8.8.80x8d5aStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:28.907742977 CET192.168.2.38.8.8.80x51e8Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:34.035686016 CET192.168.2.38.8.8.80x791dStandard query (0)timmy13.ddns.netA (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:39.300755024 CET192.168.2.38.8.8.80x8650Standard query (0)timmy13.ddns.netA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Jan 26, 2022 09:42:25.202538013 CET8.8.8.8192.168.2.30x1944No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:31.066170931 CET8.8.8.8192.168.2.30x99adNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:37.140003920 CET8.8.8.8192.168.2.30x4c6fNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:44.023794889 CET8.8.8.8192.168.2.30x29e8No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:49.473654985 CET8.8.8.8192.168.2.30x8e4bNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:42:55.066246986 CET8.8.8.8192.168.2.30xf198No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:00.728055954 CET8.8.8.8192.168.2.30xd685No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:03.403417110 CET8.8.8.8192.168.2.30x7ff7No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)
                                          Jan 26, 2022 09:43:03.403417110 CET8.8.8.8192.168.2.30x7ff7No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:06.382766008 CET8.8.8.8192.168.2.30x5eecNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:11.846683979 CET8.8.8.8192.168.2.30xf564No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:18.172468901 CET8.8.8.8192.168.2.30xf7f1No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:23.708151102 CET8.8.8.8192.168.2.30x8d5aNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:28.928096056 CET8.8.8.8192.168.2.30x51e8No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:34.057224989 CET8.8.8.8192.168.2.30x791dNo error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)
                                          Jan 26, 2022 09:43:39.320759058 CET8.8.8.8192.168.2.30x8650No error (0)timmy13.ddns.net185.140.53.138A (IP address)IN (0x0001)

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Jan 26, 2022 09:43:03.766495943 CET5874979877.88.21.158192.168.2.3220 myt5-aad1beefab42.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1643186583-1Uow8YIc1E-h3HeBpvb
                                          Jan 26, 2022 09:43:03.766866922 CET49798587192.168.2.377.88.21.158EHLO 468325
                                          Jan 26, 2022 09:43:03.828377008 CET5874979877.88.21.158192.168.2.3250-myt5-aad1beefab42.qloud-c.yandex.net
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-SIZE 53477376
                                          250-STARTTLS
                                          250-AUTH LOGIN PLAIN XOAUTH2
                                          250-DSN
                                          250 ENHANCEDSTATUSCODES
                                          Jan 26, 2022 09:43:03.829010963 CET49798587192.168.2.377.88.21.158STARTTLS
                                          Jan 26, 2022 09:43:03.891742945 CET5874979877.88.21.158192.168.2.3220 Go ahead

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:2
                                          Start time:09:41:22
                                          Start date:26/01/2022
                                          Path:C:\Users\user\Desktop\Order Specification.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\Order Specification.exe"
                                          Imagebase:0x330000
                                          File size:1590272 bytes
                                          MD5 hash:0484C885885E6B4635CF330D72EABA9A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.397106663.0000000003789000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.396167134.0000000002781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.397412995.0000000003953000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          General

                                          Target ID:8
                                          Start time:09:42:03
                                          Start date:26/01/2022
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order Specification.exe
                                          Imagebase:0x1230000
                                          File size:430592 bytes
                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Reputation:high

                                          General

                                          Target ID:9
                                          Start time:09:42:04
                                          Start date:26/01/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7f20f0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:10
                                          Start time:09:42:05
                                          Start date:26/01/2022
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hSoFri.exe
                                          Imagebase:0x1230000
                                          File size:430592 bytes
                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Reputation:high

                                          General

                                          Target ID:11
                                          Start time:09:42:06
                                          Start date:26/01/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7f20f0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:12
                                          Start time:09:42:06
                                          Start date:26/01/2022
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSoFri" /XML "C:\Users\user\AppData\Local\Temp\tmpAB8A.tmp
                                          Imagebase:0xaf0000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:13
                                          Start time:09:42:08
                                          Start date:26/01/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7f20f0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:14
                                          Start time:09:42:09
                                          Start date:26/01/2022
                                          Path:C:\Users\user\Desktop\Order Specification.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\Order Specification.exe
                                          Imagebase:0xfb0000
                                          File size:1590272 bytes
                                          MD5 hash:0484C885885E6B4635CF330D72EABA9A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Visual Basic
                                          Yara matches:
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.409359357.0000000003D41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000003.394646036.0000000001606000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.411370760.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000003.401463421.0000000003DA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.391445952.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 0000000E.00000000.392054415.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          General

                                          Target ID:16
                                          Start time:09:42:15
                                          Start date:26/01/2022
                                          Path:C:\Users\user\AppData\Local\Temp\host process.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\host process.exe" 0
                                          Imagebase:0x90000
                                          File size:207360 bytes
                                          MD5 hash:042FA6CD64D8F55F1405D130E306E47A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.557826001.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.398076862.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.560916482.0000000004FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.397724050.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.398470828.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000002.560139587.0000000003797000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000010.00000000.398997290.0000000000092000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000010.00000002.560644251.0000000004AC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\host process.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 79%, Virustotal, Browse
                                          • Detection: 100%, ReversingLabs
                                          Reputation:low

                                          General

                                          Target ID:17
                                          Start time:09:42:18
                                          Start date:26/01/2022
                                          Path:C:\Users\user\AppData\Local\Temp\O.stub.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\O.stub.exe" 0
                                          Imagebase:0xfd0000
                                          File size:283136 bytes
                                          MD5 hash:69709CD1D2019B22E72550ABE3AEF9D7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.557825125.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000000.409221651.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000000.407162956.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000000.408484017.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000000.408885887.0000000000FD2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.559798734.000000000371E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: C:\Users\user\AppData\Local\Temp\O.stub.exe, Author: Joe Security
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 61%, Virustotal, Browse
                                          • Detection: 56%, Metadefender, Browse
                                          • Detection: 86%, ReversingLabs
                                          Reputation:low

                                          General

                                          Target ID:23
                                          Start time:09:42:35
                                          Start date:26/01/2022
                                          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                                          Imagebase:0x100000
                                          File size:207360 bytes
                                          MD5 hash:042FA6CD64D8F55F1405D130E306E47A
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000017.00000000.441131157.0000000000102000.00000002.00000001.01000000.00000007.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.465643689.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.464295461.0000000000102000.00000002.00000001.01000000.00000007.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.465733895.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 79%, Virustotal, Browse
                                          • Detection: 100%, ReversingLabs
                                          Reputation:low

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:10%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:118
                                            Total number of Limit Nodes:5
                                            execution_graph 16553 df40d0 16554 df40e2 16553->16554 16557 df40ee 16554->16557 16559 df41e0 16554->16559 16556 df410d 16564 df3c64 16557->16564 16560 df41e4 16559->16560 16568 df42d8 16560->16568 16572 df42e0 16560->16572 16565 df3c6f 16564->16565 16580 df51a4 16565->16580 16567 df6a22 16567->16556 16570 df4307 16568->16570 16569 df43e4 16569->16569 16570->16569 16576 df3de4 16570->16576 16573 df4307 16572->16573 16574 df43e4 16573->16574 16575 df3de4 CreateActCtxA 16573->16575 16575->16574 16577 df5370 CreateActCtxA 16576->16577 16579 df5433 16577->16579 16581 df51af 16580->16581 16584 df57f8 16581->16584 16583 df6b25 16583->16567 16585 df5803 16584->16585 16588 df5828 16585->16588 16587 df6c02 16587->16583 16589 df5833 16588->16589 16592 df5858 16589->16592 16591 df6d02 16591->16587 16594 df5863 16592->16594 16593 df745c 16593->16591 16594->16593 16597 dfb33f 16594->16597 16602 dfb340 16594->16602 16598 dfb361 16597->16598 16599 dfb385 16598->16599 16607 dfb5eb 16598->16607 16611 dfb5f8 16598->16611 16599->16593 16603 dfb361 16602->16603 16604 dfb385 16603->16604 16605 dfb5eb 2 API calls 16603->16605 16606 dfb5f8 2 API calls 16603->16606 16604->16593 16605->16604 16606->16604 16608 dfb605 16607->16608 16609 dfb63f 16608->16609 16615 df97f8 16608->16615 16609->16599 16612 dfb605 16611->16612 16613 dfb63f 16612->16613 16614 df97f8 2 API calls 16612->16614 16613->16599 16614->16613 16616 df9803 16615->16616 16618 dfc338 16616->16618 16619 df98c0 16616->16619 16620 df98cb 16619->16620 16621 dfc3a7 16620->16621 16622 df5858 2 API calls 16620->16622 16623 dfc3b5 16621->16623 16628 dfc410 16621->16628 16622->16621 16634 dfe118 16623->16634 16642 dfe128 16623->16642 16624 dfc3e0 16624->16618 16629 dfc3c3 16628->16629 16631 dfc416 16628->16631 16629->16631 16632 dfe118 LoadLibraryExW CreateWindowExW 16629->16632 16633 dfe128 LoadLibraryExW CreateWindowExW 16629->16633 16630 dfc3e0 16630->16623 16632->16630 16633->16630 16635 dfe120 16634->16635 16637 dfe165 16635->16637 16638 dfe5a8 LoadLibraryExW 16635->16638 16639 dfe5a3 LoadLibraryExW 16635->16639 16636 dfe1a5 16640 dfef6b CreateWindowExW 16636->16640 16641 dfef70 CreateWindowExW 16636->16641 16637->16624 16638->16636 16639->16636 16640->16637 16641->16637 16643 dfe12a 16642->16643 16644 dfe165 16643->16644 16646 dfe5a8 LoadLibraryExW 16643->16646 16647 dfe5a3 LoadLibraryExW 16643->16647 16644->16624 16645 dfe1a5 16648 dfef6b CreateWindowExW 16645->16648 16649 dfef70 CreateWindowExW 16645->16649 16646->16645 16647->16645 16648->16644 16649->16644 16650 df98f0 16651 df9938 GetModuleHandleW 16650->16651 16652 df9932 16650->16652 16653 df9965 16651->16653 16652->16651 16654 df9210 16658 df92f8 16654->16658 16664 df9308 16654->16664 16655 df921f 16659 df92fc 16658->16659 16660 df932b 16659->16660 16670 df9998 16659->16670 16674 df99f3 16659->16674 16679 df9997 16659->16679 16660->16655 16665 df930a 16664->16665 16666 df932b 16665->16666 16667 df9998 LoadLibraryExW 16665->16667 16668 df9997 LoadLibraryExW 16665->16668 16669 df99f3 LoadLibraryExW 16665->16669 16666->16655 16667->16666 16668->16666 16669->16666 16672 df99ac 16670->16672 16671 df99d1 16671->16660 16672->16671 16683 df94f8 16672->16683 16675 df99c1 16674->16675 16678 df99f7 16674->16678 16676 df94f8 LoadLibraryExW 16675->16676 16677 df99d1 16675->16677 16676->16677 16677->16660 16680 df99ac 16679->16680 16681 df99d1 16680->16681 16682 df94f8 LoadLibraryExW 16680->16682 16681->16660 16682->16681 16684 df9b78 LoadLibraryExW 16683->16684 16686 df9bf1 16684->16686 16686->16671 16687 dfb710 16688 dfb776 16687->16688 16692 dfb8cb 16688->16692 16695 dfb8d0 16688->16695 16689 dfb825 16693 dfb8fe 16692->16693 16698 df9880 16692->16698 16693->16689 16696 df9880 DuplicateHandle 16695->16696 16697 dfb8fe 16696->16697 16697->16689 16699 dfb938 DuplicateHandle 16698->16699 16700 dfb9ce 16699->16700 16700->16693

                                            Executed Functions

                                            Function 00DFFD6C Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 dffd6c-dffd72 1 dffd76-dffdde 0->1 2 dffd74 0->2 3 dffde9-dffdf0 1->3 4 dffde0-dffde6 1->4 2->1 5 dffdfb-dffe33 3->5 6 dffdf2-dffdf8 3->6 4->3 7 dffe3b-dffe9a CreateWindowExW 5->7 6->5 8 dffe9c-dffea2 7->8 9 dffea3-dffedb 7->9 8->9 13 dffedd-dffee0 9->13 14 dffee8 9->14 13->14 15 dffee9 14->15 15->15
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DFFE8A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: e6bd026462750214440254ae43f41fd8ced1cb8a1ca496e12c8f919ac16e7a39
                                            • Instruction ID: 53cd53bdc51986bb53919bf06f240d4d851c4234576b6665f372489c81ea4e0a
                                            • Opcode Fuzzy Hash: e6bd026462750214440254ae43f41fd8ced1cb8a1ca496e12c8f919ac16e7a39
                                            • Instruction Fuzzy Hash: 3451F0B1D003499FDF14CFA9C880ADEBFB5BF48314F25822AE918AB250D7749845CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00DFDE4C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 16 dfde4c-dffdde 18 dffde9-dffdf0 16->18 19 dffde0-dffde6 16->19 20 dffdfb-dffe9a CreateWindowExW 18->20 21 dffdf2-dffdf8 18->21 19->18 23 dffe9c-dffea2 20->23 24 dffea3-dffedb 20->24 21->20 23->24 28 dffedd-dffee0 24->28 29 dffee8 24->29 28->29 30 dffee9 29->30 30->30
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DFFE8A
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: c0a81715896fcf2233588b43cc2474c521835134cb22d9e327ebdcda0c936687
                                            • Instruction ID: 75b815f66dfcb441d2fdaee8a2efef9c2c7b5d25f94b5fc646a65d44d0d07d06
                                            • Opcode Fuzzy Hash: c0a81715896fcf2233588b43cc2474c521835134cb22d9e327ebdcda0c936687
                                            • Instruction Fuzzy Hash: C251D0B1D0030D9FDF14CFA9C884AEEBBB5BF88314F25812AE919AB250D7749845CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00DF3DE4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 31 df3de4-df5431 CreateActCtxA 34 df543a-df5494 31->34 35 df5433-df5439 31->35 42 df5496-df5499 34->42 43 df54a3-df54a7 34->43 35->34 42->43 44 df54a9-df54b5 43->44 45 df54b8 43->45 44->45 47 df54b9 45->47 47->47
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00DF5421
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: c57729582d8f8cd4829d4695e52e6f0bc22cd1080dddd7a2aefc6bd8d1e9354d
                                            • Instruction ID: 87295bbce3a3b1a0a572673b50a6a27da0153ea1bf59dbca8e9ad12c51845740
                                            • Opcode Fuzzy Hash: c57729582d8f8cd4829d4695e52e6f0bc22cd1080dddd7a2aefc6bd8d1e9354d
                                            • Instruction Fuzzy Hash: 3D4113B1C0061DCFDB24CFA9C848BDEBBB5BF49308F248469D509AB255D7716986CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00DF536F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 48 df536f-df5431 CreateActCtxA 50 df543a-df5494 48->50 51 df5433-df5439 48->51 58 df5496-df5499 50->58 59 df54a3-df54a7 50->59 51->50 58->59 60 df54a9-df54b5 59->60 61 df54b8 59->61 60->61 63 df54b9 61->63 63->63
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00DF5421
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: cd7e57477459f22e07a67fffc124874ccd5cb798d5b9b6c7b38e15d5f6086694
                                            • Instruction ID: d9f71d12021f32785b6b5d57b2ff3ccd339500640c69ea3f9d02ff8d8793fe7e
                                            • Opcode Fuzzy Hash: cd7e57477459f22e07a67fffc124874ccd5cb798d5b9b6c7b38e15d5f6086694
                                            • Instruction Fuzzy Hash: A84123B1C0061DCFDB24CFA9C848BDDBBB5BF49308F248469D508AB251DB716986CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00DF9880 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 64 df9880-dfb9cc DuplicateHandle 66 dfb9ce-dfb9d4 64->66 67 dfb9d5-dfb9f2 64->67 66->67
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00DFB8FE,?,?,?,?,?), ref: 00DFB9BF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 5a0818e57b0cdc7a687caef5ef10d71958738cc80892cd46577a50af14dc270f
                                            • Instruction ID: c7b86fb0d9bc7bed540302b2f7188a09b626075433d842d4ad5aa5c04a38d01a
                                            • Opcode Fuzzy Hash: 5a0818e57b0cdc7a687caef5ef10d71958738cc80892cd46577a50af14dc270f
                                            • Instruction Fuzzy Hash: FB2125B5900218EFDB10CF99D984AEEBBF8FB48324F14841AE914B3310D378A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00DFB933 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 70 dfb933-dfb9cc DuplicateHandle 71 dfb9ce-dfb9d4 70->71 72 dfb9d5-dfb9f2 70->72 71->72
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00DFB8FE,?,?,?,?,?), ref: 00DFB9BF
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 1f7e8a147571a5bf24c75e57c1a5b8c44d56f1a4f6597355aa4b92c27e1cd209
                                            • Instruction ID: a045ebd1a96e07a93d3856e0e54d7c4d91d9bf43b16610ca000fb21454ae2852
                                            • Opcode Fuzzy Hash: 1f7e8a147571a5bf24c75e57c1a5b8c44d56f1a4f6597355aa4b92c27e1cd209
                                            • Instruction Fuzzy Hash: 332103B5900208AFDB10CFA9D984AEEBFF4EF48324F14841AE914A3310C378A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00DF94F8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 75 df94f8-df9bb8 77 df9bba-df9bbd 75->77 78 df9bc0-df9bef LoadLibraryExW 75->78 77->78 79 df9bf8-df9c15 78->79 80 df9bf1-df9bf7 78->80 80->79
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DF99D1,00000800,00000000,00000000), ref: 00DF9BE2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: d890a5fff315759b0e4f48c599d4bb20d88863b76887b675a8b4e8b281a80b69
                                            • Instruction ID: 20e67b0573e8dd0cf0de6ffe3365df1859c36dee4583284de85439afdda58708
                                            • Opcode Fuzzy Hash: d890a5fff315759b0e4f48c599d4bb20d88863b76887b675a8b4e8b281a80b69
                                            • Instruction Fuzzy Hash: A21114B6D002099FDB14CF9AD488BEEFBF8EB88314F15842AE515B7200C374A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00DF9B73 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 83 df9b73-df9bb8 84 df9bba-df9bbd 83->84 85 df9bc0-df9bef LoadLibraryExW 83->85 84->85 86 df9bf8-df9c15 85->86 87 df9bf1-df9bf7 85->87 87->86
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DF99D1,00000800,00000000,00000000), ref: 00DF9BE2
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 47fd24e77e72bce2d090c42aff1fd324854a6fd4f47f06bb80d429e1509e5cb5
                                            • Instruction ID: 4d57308a461ceb8cf385924e2090997d39f4857918d14ae6383ad2972a7e62b7
                                            • Opcode Fuzzy Hash: 47fd24e77e72bce2d090c42aff1fd324854a6fd4f47f06bb80d429e1509e5cb5
                                            • Instruction Fuzzy Hash: 881126B6D002498FDB14CF99D484BEEFBF4AB98314F14852ED415A7600C374A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00DF98F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 96 df98f0-df9930 97 df9938-df9963 GetModuleHandleW 96->97 98 df9932-df9935 96->98 99 df996c-df9980 97->99 100 df9965-df996b 97->100 98->97 100->99
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00DF9956
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: f15fde80f259e04f366e19627402eeb56478e313b4fa8ba750f9e1abc55c44f1
                                            • Instruction ID: 2ee1f34230a6773c9aa32d67acc9e2c932fcdd51e53f37166c7bfce11fd0e45d
                                            • Opcode Fuzzy Hash: f15fde80f259e04f366e19627402eeb56478e313b4fa8ba750f9e1abc55c44f1
                                            • Instruction Fuzzy Hash: F01110B2C006498FDB10CF9AC444BDEFBF8AB89324F15842AD529B7300C3B8A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00DF98EB Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 90 df98eb-df9930 91 df9938-df9963 GetModuleHandleW 90->91 92 df9932-df9935 90->92 93 df996c-df9980 91->93 94 df9965-df996b 91->94 92->91 94->93
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00DF9956
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: b4f460baa17770ee19edeb5c1c2775e4e4572b1c37cca60e03a473a32c860ed5
                                            • Instruction ID: d5a192a711dceeff8cfa5d91a71b0d98a7f4deb659559873f0952e2ecbbd7e4b
                                            • Opcode Fuzzy Hash: b4f460baa17770ee19edeb5c1c2775e4e4572b1c37cca60e03a473a32c860ed5
                                            • Instruction Fuzzy Hash: 2B1102B5C006498FDB14CF9AC444BDEFBF4AB89324F15842AD969B7710C374A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FE378 Relevance: .2, Instructions: 246COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f3b5f22aebb29debc2f1447a131e15ad76c870127cd4be75b60d3126bcd9c4ae
                                            • Instruction ID: 2fc5a4d75f5d9a20912c8673762f56c2432f61786da22e23dd6856f276256cc3
                                            • Opcode Fuzzy Hash: f3b5f22aebb29debc2f1447a131e15ad76c870127cd4be75b60d3126bcd9c4ae
                                            • Instruction Fuzzy Hash: 88912430E41308DBEB15DFB1E851BADB7B6EF89305F218029EA057B294DB726D45CB09
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FE858 Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8dce2a04f93565350fc230acfda41f6b9d02561aaf9f9b37ddd40a3b1f47d5f1
                                            • Instruction ID: 4e5aa56823ac29ce5b56cb52a796844e3b01a79d676b1e130f02e8918dc19452
                                            • Opcode Fuzzy Hash: 8dce2a04f93565350fc230acfda41f6b9d02561aaf9f9b37ddd40a3b1f47d5f1
                                            • Instruction Fuzzy Hash: 2481E074E10208CFDB54DFA5E958AAEBBB6FF88300F208029D51AA7364DB346E45CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B7D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395584994.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_b7d000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b10f9eb2fc667539806d04db852aaaf16169ac34f172ce13b82264bb5d185ed1
                                            • Instruction ID: b857a0e56261cd391690e7ebeb335e294627652566379e8d33f16e5f45108fd5
                                            • Opcode Fuzzy Hash: b10f9eb2fc667539806d04db852aaaf16169ac34f172ce13b82264bb5d185ed1
                                            • Instruction Fuzzy Hash: AB2100B1604200DFDB14CF14D9D4B26BBB5EF88354F24C9A9D80E4B246C33AD846CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B7D1FC Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395584994.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_b7d000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b7554d8ea0c9ed638f4d84d91e63fd6feb31476c1d1a55cffe8b959887a079c
                                            • Instruction ID: 41793667cf73c704b187d1e6425e5523d01d1bc4c48107e3ac4ac56b55ead3b3
                                            • Opcode Fuzzy Hash: 5b7554d8ea0c9ed638f4d84d91e63fd6feb31476c1d1a55cffe8b959887a079c
                                            • Instruction Fuzzy Hash: 2521D0B16042049FDB04CF54D9C4B26BBB5FF88364F24CAA9E80D4A256C33AD847CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B7D006 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395584994.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_b7d000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 439abe9a0b47006655c8e9749210c7bde5d8e10ec2216520fe3912258e38ddea
                                            • Instruction ID: 6a1e84d80a9ad1c38ed35a6ecd7d5be00954830123c74936289d999c47d83ed0
                                            • Opcode Fuzzy Hash: 439abe9a0b47006655c8e9749210c7bde5d8e10ec2216520fe3912258e38ddea
                                            • Instruction Fuzzy Hash: 832162755083809FDB02CF14D994B15BFB1EF46314F28C5DAD8498F297C33A985ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00B7D1F7 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395584994.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_b7d000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dee6b459bb36e796693a2bcff13a1c1ca0a03e4dfa9d43a9d833c43906ee4ea3
                                            • Instruction ID: 96ee7f75fddeada26219cb805891ce478b1b777b9a7b5a759463835d3b5bb2c8
                                            • Opcode Fuzzy Hash: dee6b459bb36e796693a2bcff13a1c1ca0a03e4dfa9d43a9d833c43906ee4ea3
                                            • Instruction Fuzzy Hash: 43118B75504284DFDB01CF50D9C4B15BBB1FB84324F28CAA9D8494B656C33AD84ACB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FF478 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e179aaef7c025e916a002d0fe1cf640c0a6c4e5aba0158ecb4dc54d74e405cc2
                                            • Instruction ID: 6eb4d5e1a0214ff271343beb0939c65babe92e5f4fde58cc32d3a9e689ea477a
                                            • Opcode Fuzzy Hash: e179aaef7c025e916a002d0fe1cf640c0a6c4e5aba0158ecb4dc54d74e405cc2
                                            • Instruction Fuzzy Hash: E5F03C30E11209DFCB14DFA9EA046AEFBF5FF48305F1085A5C919A3304EB349A40CB44
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FF028 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b921128c6356fb4f496ec5b5a8bf4fdc87e38fd55507db252ba9c096310ec191
                                            • Instruction ID: c7311b47cd1a5493e49542432912f11726095ca6da213509a9c72b16f720bf90
                                            • Opcode Fuzzy Hash: b921128c6356fb4f496ec5b5a8bf4fdc87e38fd55507db252ba9c096310ec191
                                            • Instruction Fuzzy Hash: 72F0F470D12219DFDB40DFA9EA056AEFBF5BF48201F1085B9C418A3308EB749A418F44
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FF4F0 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d18f870f635e679b71ace59c021f986dc4f184d08f99167dd6404590663d080
                                            • Instruction ID: 5f089a65d5d3ac25118ef66675665170dd4324bf1cd477645b8859591eff7e5b
                                            • Opcode Fuzzy Hash: 2d18f870f635e679b71ace59c021f986dc4f184d08f99167dd6404590663d080
                                            • Instruction Fuzzy Hash: 88F01770E1520ADFDB44DFAAEA446AEFBF5FF48301F1085BAC818E3204E7749A418B44
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FF418 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 07b296fe41bfb4a20d23c0f3de1c0e9c1eeb693fd2110916390f60604af0530f
                                            • Instruction ID: ee93654ebccefc4d40f7dccbf3999fde9bd110e3ba09f59378b7d6a9a07a5fc5
                                            • Opcode Fuzzy Hash: 07b296fe41bfb4a20d23c0f3de1c0e9c1eeb693fd2110916390f60604af0530f
                                            • Instruction Fuzzy Hash: C8F01230D15209DFDB04DFB6F64469DF7F5BF44315F50C1B98908A3204E73499558B55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FF8C0 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6439243169915e38b26255bc5fd3a7c5a79beb37d156a0e769169ee3754a1b09
                                            • Instruction ID: cf696450713cf9da9d553255712216fdfff40a3511a2bb0afad88f64075d05cc
                                            • Opcode Fuzzy Hash: 6439243169915e38b26255bc5fd3a7c5a79beb37d156a0e769169ee3754a1b09
                                            • Instruction Fuzzy Hash: 49F01230D16209DFDB44DBB9F60469EFBF5AF44305F11C0B5C50993244E7349991CB44
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FE738 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a2c999f04bb85ed0ca5ad5354ffda340ad3e0949d43b255a2091aa5031a4acf
                                            • Instruction ID: 3ce03155d4e5dd4588114afa1a3933ff9b7e45074e22676a56d758b6de3f33f3
                                            • Opcode Fuzzy Hash: 9a2c999f04bb85ed0ca5ad5354ffda340ad3e0949d43b255a2091aa5031a4acf
                                            • Instruction Fuzzy Hash: 36F05830E2A309DFCB45DBB9A60469EF7FAAF84209F11C4B8C50892210E7348A94CB44
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FE7F8 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8f1ac616c72ef835a23cd78dc713d737b2d769524332b5beeec48139f8d87d57
                                            • Instruction ID: 163db32d8dbb0270eefe76dd5c237f695afe987a146c6539b41cca8a45fab1af
                                            • Opcode Fuzzy Hash: 8f1ac616c72ef835a23cd78dc713d737b2d769524332b5beeec48139f8d87d57
                                            • Instruction Fuzzy Hash: 63F05E30D12209DFDB40EBB5F54469DFBF9EF44201F11C0B5C40993264E73499508B44
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FEEF0 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32e76716dccfdf6528e78027e2862a8388b64ad2ca13169b4c70874e950d8b8f
                                            • Instruction ID: d0d15a9f5341d3c36da9c1dc44c36a36bb47154007b23bbf5b850bc16117a7cf
                                            • Opcode Fuzzy Hash: 32e76716dccfdf6528e78027e2862a8388b64ad2ca13169b4c70874e950d8b8f
                                            • Instruction Fuzzy Hash: 54F0F830E25209EFDB81DFBAE54869DFBF9EF48605F1181B98918D3214E7349A908B45
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FECC0 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b7b8d506eeb67d5f81bf97bd795466e0ef66c29b5c2bcef1ce8479b551da8757
                                            • Instruction ID: 43121fe391555de7b1faf65fa0ebec8366210d0b290b0f64fd9f118f77eb6574
                                            • Opcode Fuzzy Hash: b7b8d506eeb67d5f81bf97bd795466e0ef66c29b5c2bcef1ce8479b551da8757
                                            • Instruction Fuzzy Hash: 7EE09B30922219DFD755DBB9B905B5DFAFDAF44209F118475D90993210E7308A948715
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FEE98 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a48141dadae5da23a1070a73963a5045fd201a7e092cafc2ca811745118d17dd
                                            • Instruction ID: 6292792d22fc60945cfc5e56bd508f2c35a7003e49362cc991aed227f33d3f52
                                            • Opcode Fuzzy Hash: a48141dadae5da23a1070a73963a5045fd201a7e092cafc2ca811745118d17dd
                                            • Instruction Fuzzy Hash: CAE09230A26209DFDB85DBB9F9457AEFAFDAF44315F1180B4C50D93264EB308A94C705
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FE6E0 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51de4822b4aa04196ef5ce67f1ffc9ca6bbb6906a447f60ca2386d75d1f86bf6
                                            • Instruction ID: ef05747ef697e57353c7d71edf7e9b34c271f5c5abd12dbba5380d3bac291145
                                            • Opcode Fuzzy Hash: 51de4822b4aa04196ef5ce67f1ffc9ca6bbb6906a447f60ca2386d75d1f86bf6
                                            • Instruction Fuzzy Hash: ACF06D30926359DFDB81EBB9A64879DFBFDEF48205F1188B5C908D3224F7348A909B05
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 052FE138 Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.408593288.00000000052F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_52f0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 29c7570f0dcd8fa8b313812d7ce7d3c3cba014dcc3273a304d681e2f4767d01c
                                            • Instruction ID: e115b786dca28e26b8c5298a961d1a5b53ea27ca4694bfc61839811dc4fd7cc4
                                            • Opcode Fuzzy Hash: 29c7570f0dcd8fa8b313812d7ce7d3c3cba014dcc3273a304d681e2f4767d01c
                                            • Instruction Fuzzy Hash: 0FE0C2B0D1020ADFCB91EFB995496AFBBF5AF08204F244879C614E6250E7744A41CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 00DFE5F0 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c59abbff7667d130678285f232547832b6053f72a2073d1f8f861f00a143ba40
                                            • Instruction ID: c1386ca6f02b96a6f587ecd1156528c642af03095cc3526c64224b575abde589
                                            • Opcode Fuzzy Hash: c59abbff7667d130678285f232547832b6053f72a2073d1f8f861f00a143ba40
                                            • Instruction Fuzzy Hash: 8D12D5F9E917468BD310CF65E9881893FE1B765328BD0CA0BD2612BAD1D7B4016ECF48
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00DFC1A4 Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f47556854f58c3200ce5db72014a71acdc125d9097b78b0185b2f2d5fdb4e9fc
                                            • Instruction ID: 95136d784aea704207fe159c080d1bf8911f74200e0e919e48b3be9d824deda5
                                            • Opcode Fuzzy Hash: f47556854f58c3200ce5db72014a71acdc125d9097b78b0185b2f2d5fdb4e9fc
                                            • Instruction Fuzzy Hash: 5EA17F32E1021D8FCF05DFA5C9445EEB7B3FF85304B16856AE905AB261EB31E915CB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00DFE5E3 Relevance: .2, Instructions: 222COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.395870761.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_df0000_Order Specification.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87ff09ca9e53f4e729ba2b612cb2e8c79a5a550ec1459e17eb0faba2a73a5b60
                                            • Instruction ID: 151ad714ebfba2d9aec969d7732dacc40920837bf0379cc4cf8e489182d5b88b
                                            • Opcode Fuzzy Hash: 87ff09ca9e53f4e729ba2b612cb2e8c79a5a550ec1459e17eb0faba2a73a5b60
                                            • Instruction Fuzzy Hash: 77C118F9E917468BD310CF65E9881893FE1BB65328F91CB0BD2616B6D0D7B4106ACF48
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:0.3%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:1
                                            Total number of Limit Nodes:0
                                            execution_graph 537 40104c #100

                                            Callgraph

                                            • Executed
                                            • Not Executed
                                            • Opacity -> Relevance
                                            • Disassembly available
                                            callgraph 0 Function_00FB91F8 1 Function_00FB547D 2 Function_00FB82FC 3 Function_00FB83F0 4 Function_0040104C 5 Function_00FB5F75 6 Function_00FB5DF4 7 Function_00401BD2 8 Function_00401A59 9 Function_00FB5661 10 Function_00FB8361 11 Function_00FB82E7 12 Function_00FB7E64 13 Function_00FB83DB 14 Function_00FB56DB 15 Function_00FB55D9 16 Function_00FB90D8 17 Function_00401AE4 18 Function_00FB60DD 19 Function_00401A6D 20 Function_00FB4AD4 21 Function_00FB8854 22 Function_00FB90CA 23 Function_00FB45C8 24 Function_00FB5FCF 25 Function_00FB43CD 26 Function_00FB67CC 27 Function_00FB91CC 28 Function_00401DFA 29 Function_00FB4EC1 30 Function_00FB5541 31 Function_00401AFB 32 Function_00FB50C7 33 Function_00FB8339 34 Function_00FB82BF 35 Function_00401E06 36 Function_00FB83B3 37 Function_00FB9131 38 Function_0040128C 39 Function_00FB50B7 40 Function_00FB6137 41 Function_00401B8D 42 Function_00FB43AB 43 Function_00FB662A 44 Function_00FB82AA 45 Function_00401B12 46 Function_00FB6029 47 Function_00FB7E29 48 Function_00401A94 49 Function_00FB4EAD 50 Function_00FB58AC 51 Function_00FB54A1 52 Function_00401A9E 53 Function_00FB8324 54 Function_00FB5F1B 55 Function_00FB8E9B 56 Function_00401A25 57 Function_00FB839E 58 Function_00FB521C 59 Function_00FB5512 60 Function_00401AAD 61 Function_00FB4309 62 Function_00FB4609 63 Function_00FB238E 64 Function_00FB6083 65 Function_00FB7203 66 Function_00FB6A82 67 Function_00FB8282 68 Function_00FB5481 69 Function_00FB5507 70 Function_00401D3D 71 Function_00FB6986 72 Function_00FB7104 73 Function_00FB8D84

                                            Executed Functions

                                            Function 0040104C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 40104c-401067 #100
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.411348762.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_400000_Order Specification.jbxd
                                            Similarity
                                            • API ID: #100
                                            • String ID: VB5!6&*
                                            • API String ID: 1341478452-3593831657
                                            • Opcode ID: 3cdc8536199cd560e2627349f8158df96f2d3e5b25d6b8b93e5c5f73a6db8eeb
                                            • Instruction ID: a12084c55d1ffc36602276b3cafedaf3d59f71825310c224ab85d25d8918c0d8
                                            • Opcode Fuzzy Hash: 3cdc8536199cd560e2627349f8158df96f2d3e5b25d6b8b93e5c5f73a6db8eeb
                                            • Instruction Fuzzy Hash: F1D0A44004E3C40ED30756B60DA56862F70090325031A00EBC5C0EE4E3805C09888336
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:23.1%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:6.5%
                                            Total number of Nodes:217
                                            Total number of Limit Nodes:13
                                            execution_graph 13700 77aa32 13701 77aa6a RegOpenKeyExW 13700->13701 13703 77aac0 13701->13703 13629 77bb7e 13630 77bbb3 PostMessageW 13629->13630 13632 77bbe7 13629->13632 13631 77bbc8 13630->13631 13632->13630 13633 49b1312 13635 49b1347 RegSetValueExW 13633->13635 13636 49b1393 13635->13636 13704 77be3e 13705 77be93 13704->13705 13706 77be6a DispatchMessageW 13704->13706 13705->13706 13707 77be7f 13706->13707 13708 77a0be 13709 77a0e9 WSAStartup 13708->13709 13711 77a116 13709->13711 13712 77ab3a 13715 77ab6f RegQueryValueExW 13712->13715 13714 77abc3 13715->13714 13637 49b210a 13638 49b2142 ConvertStringSecurityDescriptorToSecurityDescriptorW 13637->13638 13640 49b2183 13638->13640 13716 49b124a 13717 49b1273 CopyFileW 13716->13717 13719 49b129a 13717->13719 13641 49b158e 13642 49b15ba GetSystemInfo 13641->13642 13643 49b15f0 13641->13643 13644 49b15c8 13642->13644 13643->13642 13645 49b0d8e 13648 49b0dc6 CreateFileW 13645->13648 13647 49b0e15 13648->13647 13720 49b0cce 13721 49b0cf4 CreateDirectoryW 13720->13721 13723 49b0d1b 13721->13723 13649 77a8ee 13650 77a920 SetWindowLongW 13649->13650 13651 77a94b 13649->13651 13652 77a935 13650->13652 13651->13650 13724 488e0e8 13725 488e0f1 13724->13725 13729 488e138 13725->13729 13733 488e128 13725->13733 13726 488e122 13730 488e140 13729->13730 13737 488e169 13730->13737 13731 488e159 13731->13726 13734 488e140 13733->13734 13736 488e169 2 API calls 13734->13736 13735 488e159 13735->13726 13736->13735 13738 488e19b 13737->13738 13739 488e1c3 13738->13739 13742 488e280 13738->13742 13747 488e290 13738->13747 13739->13731 13743 488e2b9 13742->13743 13744 488e2f4 13743->13744 13752 49b1bec 13743->13752 13756 49b1c92 13743->13756 13744->13738 13748 488e2b9 13747->13748 13749 488e2f4 13748->13749 13750 49b1bec DnsQuery_A 13748->13750 13751 49b1c92 DnsQuery_A 13748->13751 13749->13738 13750->13749 13751->13749 13753 49b1c3d DnsQuery_A 13752->13753 13755 49b1cf0 13753->13755 13755->13744 13757 49b1ce2 DnsQuery_A 13756->13757 13758 49b1cf0 13757->13758 13758->13744 13653 49b22ba 13656 49b22f2 OpenFileMappingW 13653->13656 13655 49b232d 13656->13655 13657 49b23ba 13658 49b23f2 MapViewOfFile 13657->13658 13660 49b2441 13658->13660 13661 77bed2 13662 77bef8 SetCurrentDirectoryW 13661->13662 13664 77bf14 13662->13664 13759 4880660 13760 4880665 13759->13760 13761 4880674 13760->13761 13763 4880682 13760->13763 13764 488068f 13763->13764 13772 48843d0 13764->13772 13765 48807e2 13775 4885b28 13765->13775 13771 4880812 13771->13761 13787 4884510 13772->13787 13773 48843ed 13773->13765 13777 4885b31 13775->13777 13776 4880806 13779 4885d18 13776->13779 13783 4885d09 13776->13783 13777->13776 13833 4885ba0 13777->13833 13780 4885d21 13779->13780 13781 4885d25 13780->13781 13846 4885d88 13780->13846 13781->13771 13784 4885d18 13783->13784 13785 4885d25 13784->13785 13786 4885d88 2 API calls 13784->13786 13785->13771 13786->13785 13788 4884520 13787->13788 13792 48845b8 13788->13792 13803 48845c8 13788->13803 13789 4884560 13789->13773 13793 48845c8 13792->13793 13813 49b02ab 13793->13813 13817 49b02de 13793->13817 13794 48845f5 13795 48845f9 13794->13795 13821 49b0390 13794->13821 13825 49b03ca 13794->13825 13795->13789 13797 4884620 13829 77a372 13797->13829 13811 49b02ab RegOpenKeyExA 13803->13811 13812 49b02de RegOpenKeyExA 13803->13812 13804 48845f9 13804->13789 13805 48845f5 13805->13804 13808 49b03ca RegQueryValueExA 13805->13808 13809 49b0390 RegQueryValueExA 13805->13809 13806 4884685 13806->13789 13807 4884620 13810 77a372 SetErrorMode 13807->13810 13808->13807 13809->13807 13810->13806 13811->13805 13812->13805 13815 49b02de RegOpenKeyExA 13813->13815 13816 49b0362 13815->13816 13816->13794 13819 49b0319 RegOpenKeyExA 13817->13819 13820 49b0362 13819->13820 13820->13794 13822 49b03ca RegQueryValueExA 13821->13822 13824 49b046d 13822->13824 13824->13797 13826 49b0405 RegQueryValueExA 13825->13826 13828 49b046d 13826->13828 13828->13797 13830 77a3c7 13829->13830 13831 77a39e SetErrorMode 13829->13831 13830->13831 13832 77a3b3 13831->13832 13832->13789 13834 4885bb8 13833->13834 13838 49b13fa 13834->13838 13842 49b13cc 13834->13842 13835 4885bd2 13835->13776 13841 49b1435 DeleteFileA 13838->13841 13840 49b1472 13840->13835 13841->13840 13843 49b13da DeleteFileA 13842->13843 13845 49b1472 13843->13845 13845->13835 13847 4885dba 13846->13847 13851 4885ee8 13847->13851 13856 4885eda 13847->13856 13848 4885dc2 13848->13781 13852 4885ef8 13851->13852 13861 49b14da 13852->13861 13865 49b14a7 13852->13865 13853 4885f24 13853->13848 13857 4885ee8 13856->13857 13859 49b14da SetKernelObjectSecurity 13857->13859 13860 49b14a7 SetKernelObjectSecurity 13857->13860 13858 4885f24 13858->13848 13859->13858 13860->13858 13862 49b1500 SetKernelObjectSecurity 13861->13862 13864 49b1529 13862->13864 13864->13853 13868 49b14da SetKernelObjectSecurity 13865->13868 13867 49b1529 13867->13853 13868->13867 13665 49b2ab2 13666 49b2ae7 bind 13665->13666 13668 49b2b1b 13666->13668 13669 49b2db2 13670 49b2e02 FormatMessageW 13669->13670 13671 49b2e0a 13670->13671 13672 49b1936 13673 49b19a3 13672->13673 13674 49b1962 FindCloseChangeNotification 13672->13674 13673->13674 13675 49b1970 13674->13675 13869 49b0776 13870 49b0777 GetTokenInformation 13869->13870 13872 49b07e8 13870->13872 13873 77af9a 13874 77afea CreateActCtxA 13873->13874 13875 77aff8 13874->13875 13876 49b01f4 13877 49b0197 CreateMutexW 13876->13877 13880 49b0200 FindCloseChangeNotification 13876->13880 13881 49b01a5 13877->13881 13882 49b026c 13880->13882 13676 77a546 13677 77a584 DuplicateHandle 13676->13677 13678 77a5bc 13676->13678 13679 77a592 13677->13679 13678->13677 13680 77b746 13681 77b784 CreateIconFromResourceEx 13680->13681 13682 77b7bc 13680->13682 13683 77b792 13681->13683 13682->13681 13883 77b806 13884 77b866 13883->13884 13885 77b83b SendMessageW 13883->13885 13884->13885 13886 77b850 13885->13886 13684 49b1d2e 13686 49b1d66 WSASocketW 13684->13686 13687 49b1da2 13686->13687 13891 49b19e2 13893 49b1a0e K32EnumProcesses 13891->13893 13894 49b1a2a 13893->13894 13688 49b0ea6 13691 49b0edb GetFileType 13688->13691 13690 49b0f08 13691->13690 13692 49b1aa6 13693 49b1adb NtQuerySystemInformation 13692->13693 13694 49b1b06 13692->13694 13695 49b1af0 13693->13695 13694->13693 13696 49b2826 13698 49b285b GetProcessTimes 13696->13698 13699 49b288d 13698->13699 13895 49b16e6 13896 49b170f LookupPrivilegeValueW 13895->13896 13898 49b1736 13896->13898 13899 49b1866 13900 49b1895 AdjustTokenPrivileges 13899->13900 13902 49b18b7 13900->13902 13903 49b0f66 13906 49b0f9b setsockopt 13903->13906 13905 49b0fcd 13906->13905 13907 77a78a 13908 77a7b6 OleInitialize 13907->13908 13909 77a7ec 13907->13909 13910 77a7c4 13908->13910 13909->13908

                                            Executed Functions

                                            Function 049B2A60 Relevance: 1.6, APIs: 1, Instructions: 93networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 429 49b2a60-49b2aef 434 49b2af1 429->434 435 49b2af4-49b2b0b 429->435 434->435 437 49b2b4f-49b2b54 435->437 438 49b2b0d-49b2b2d bind 435->438 437->438 441 49b2b2f-49b2b4c 438->441 442 49b2b56-49b2b5b 438->442 442->441
                                            APIs
                                            • bind.WS2_32(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B2B13
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: bind
                                            • String ID:
                                            • API String ID: 1187836755-0
                                            • Opcode ID: 4acf1647da5db44c9e2bbcd5e2c96fc583461fdeb71d3a12fa05be1a991a8f97
                                            • Instruction ID: a73f3d776b01d5c89863f41088cd6159e980deeeb51a8a287bae5f43a51c377a
                                            • Opcode Fuzzy Hash: 4acf1647da5db44c9e2bbcd5e2c96fc583461fdeb71d3a12fa05be1a991a8f97
                                            • Instruction Fuzzy Hash: 48313E7150A3C05FD7138B258D59B96BFB8EF47210F0984EBD984DF1A3D224A848C7B2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B182F Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 049B18AF
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: AdjustPrivilegesToken
                                            • String ID:
                                            • API String ID: 2874748243-0
                                            • Opcode ID: 5aec290f71dd76101d7def3d2fa12489ab1e3a6af40f987ebf99c90cddd628e7
                                            • Instruction ID: 1dcdcd9a82684086d968e744edde211e6be60e49672993c03b6f95602ec37b49
                                            • Opcode Fuzzy Hash: 5aec290f71dd76101d7def3d2fa12489ab1e3a6af40f987ebf99c90cddd628e7
                                            • Instruction Fuzzy Hash: 5A21A2755097849FDB238F25DC51B52BFA8FF06210F0885AAE9848B163D234A508CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B1A6B Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQuerySystemInformation.NTDLL ref: 049B1AE1
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: InformationQuerySystem
                                            • String ID:
                                            • API String ID: 3562636166-0
                                            • Opcode ID: c6997afdf46cf6e619faadb308eb6f822d523f97a4521b26eb8bc537e067aa1b
                                            • Instruction ID: 196b3f547700e4b0f06d3314f07e3aa1b9d9809ac4beded965bf23af95d078f8
                                            • Opcode Fuzzy Hash: c6997afdf46cf6e619faadb308eb6f822d523f97a4521b26eb8bc537e067aa1b
                                            • Instruction Fuzzy Hash: 0521DE714093C09FDB238F21DC45A92FFB4EF16314F0980DBE9C48B1A3E225A508CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B2AB2 Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • bind.WS2_32(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B2B13
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: bind
                                            • String ID:
                                            • API String ID: 1187836755-0
                                            • Opcode ID: dd0143d7ec1ddf47597d4dcbf007213815b5e288f9a57f2a5d893e58c54af91a
                                            • Instruction ID: 68cb4b98d5897231b8d09ccc00f2b6d74a9f5bfdf0e2bf3d28e491cd51bb6944
                                            • Opcode Fuzzy Hash: dd0143d7ec1ddf47597d4dcbf007213815b5e288f9a57f2a5d893e58c54af91a
                                            • Instruction Fuzzy Hash: 6211E271500244AFE722CF15DE89FA6FB9CEF45720F1484AAED44DB242D774A404CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B1866 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 049B18AF
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: AdjustPrivilegesToken
                                            • String ID:
                                            • API String ID: 2874748243-0
                                            • Opcode ID: c3523758fc240a1a02b6dee29c09a1cd72097f19ac0f1494461cc96993fdfe3b
                                            • Instruction ID: 33cecefde008b7dda3999ff4c13dd366a8898f98d2c920675dc912fc4d117bed
                                            • Opcode Fuzzy Hash: c3523758fc240a1a02b6dee29c09a1cd72097f19ac0f1494461cc96993fdfe3b
                                            • Instruction Fuzzy Hash: 121170315006449FDB21CF55DA85BA6FBE8FF44720F08C86AED858B612D331E418DBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B158E Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemInfo.KERNELBASE(?), ref: 049B15C0
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: InfoSystem
                                            • String ID:
                                            • API String ID: 31276548-0
                                            • Opcode ID: 93155570b5b56f12f883be83f48daed76aaac975b487c6e24d983593a59f8825
                                            • Instruction ID: d79e0595575d6ee0fc5ef7130540c5acd877f6e367ce215e8fa6dd3a136f65e3
                                            • Opcode Fuzzy Hash: 93155570b5b56f12f883be83f48daed76aaac975b487c6e24d983593a59f8825
                                            • Instruction Fuzzy Hash: 4801A2705042849FDB11CF15DA85796FB94EF44220F08C4AADD898F202D2B4A404CBB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B1AA6 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQuerySystemInformation.NTDLL ref: 049B1AE1
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: InformationQuerySystem
                                            • String ID:
                                            • API String ID: 3562636166-0
                                            • Opcode ID: d1a1c70f8a0b3f9a885e47a5c4b9e2fcc7ddbd74509b2671e05e725bbcd59cdc
                                            • Instruction ID: 2e467e7ca4d07db9709c8d85790b520732ee32a740ab121199fb31e91f56bd3b
                                            • Opcode Fuzzy Hash: d1a1c70f8a0b3f9a885e47a5c4b9e2fcc7ddbd74509b2671e05e725bbcd59cdc
                                            • Instruction Fuzzy Hash: AB01DF314002448FDB218F05DA89B61FFA4EF04721F08C5AADD894B612D371B008CBB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488B208 Relevance: .9, Instructions: 909COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac07ee1961fdce888bc711b04d76e22312e7f41ebd4555fa54dec0dfaabd1476
                                            • Instruction ID: 3868cf665b48f17642389ca9a51fc2fe82498b43a420ce3a84d89acac331ae54
                                            • Opcode Fuzzy Hash: ac07ee1961fdce888bc711b04d76e22312e7f41ebd4555fa54dec0dfaabd1476
                                            • Instruction Fuzzy Hash: 47824875A00609CFCB14DF68C984AADBBB2FF88310F158A69E459AB651D734F981CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04883850 Relevance: .8, Instructions: 760COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4fd4312bbe111093c7aa4f8cb283c80038df95ce522202946277e50b8e81b81d
                                            • Instruction ID: 16fa7bdd54fd86bf836904dd73454758d5a429bfaf411f3935615c64e62dfba5
                                            • Opcode Fuzzy Hash: 4fd4312bbe111093c7aa4f8cb283c80038df95ce522202946277e50b8e81b81d
                                            • Instruction Fuzzy Hash: 7642E571A0411ACFCB15EF58C9849A9BBB2FF85704B19CAA9D805DF212D772FC42CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04888938 Relevance: .5, Instructions: 505COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9e46fbdffd959651d4ffae0039b1b978310ab1fb31649605ca024c667ecec14
                                            • Instruction ID: 6052ca72916358917fdc79750f7b11f0f0f4b6b510fdfc99d48a0a8453361134
                                            • Opcode Fuzzy Hash: a9e46fbdffd959651d4ffae0039b1b978310ab1fb31649605ca024c667ecec14
                                            • Instruction Fuzzy Hash: 1B12AC70A04259CFDB28EF65C88066DBBF2BF94305F548A6DD415EB291EB78AC81CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048823A0 Relevance: .5, Instructions: 505COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f1f9ea28d77af95ddfe4f73f203bf1879adcd050902918424ec20602a6e5c3e
                                            • Instruction ID: 83a1f0f5fd96a7968a2c325e9653587d1c00f4a86825ff511433e3734d36f4df
                                            • Opcode Fuzzy Hash: 5f1f9ea28d77af95ddfe4f73f203bf1879adcd050902918424ec20602a6e5c3e
                                            • Instruction Fuzzy Hash: 9712E330A00215CFDB24EF29C98466DB7F2BF88315F64CAADD416EB255EB78A845CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04882FA8 Relevance: .2, Instructions: 239COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b94af3904c1edca8ce9d645cace60a50a3eb71ba1b559db417cd6f2537b94098
                                            • Instruction ID: 26721784f5511d29536e70ff295190c3c6c6c873f1affc13c91a3a4931ea4898
                                            • Opcode Fuzzy Hash: b94af3904c1edca8ce9d645cace60a50a3eb71ba1b559db417cd6f2537b94098
                                            • Instruction Fuzzy Hash: DF81C231F011199BC704EB69D954A6EB7F3AFC4710F2A8578E815EB365EE35EC018B90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048809A5 Relevance: 5.2, Strings: 4, Instructions: 174COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 48809a5-48809dc 55 48809de call 4880baf 0->55 56 48809de call 4880bc0 0->56 4 48809e4-48809ef 57 48809f5 call 4881218 4->57 58 48809f5 call 4881209 4->58 59 48809f5 call 22e05cf 4->59 60 48809f5 call 48811cc 4->60 61 48809f5 call 48811df 4->61 62 48809f5 call 22e05f6 4->62 63 48809f5 call 48811b7 4->63 6 48809fb-4880a2c 64 4880a2e call 22e05cf 6->64 65 4880a2e call 4881a89 6->65 66 4880a2e call 4881b4b 6->66 67 4880a2e call 4881d8c 6->67 68 4880a2e call 4881f4c 6->68 69 4880a2e call 4881e4e 6->69 70 4880a2e call 4881c6f 6->70 71 4880a2e call 48812a0 6->71 72 4880a2e call 4881a22 6->72 73 4880a2e call 4881ae4 6->73 74 4880a2e call 4881ce5 6->74 75 4880a2e call 4881458 6->75 76 4880a2e call 22e05f6 6->76 77 4880a2e call 4881292 6->77 78 4880a2e call 4881c14 6->78 79 4880a2e call 4881bb5 6->79 10 4880a34-4880a46 11 4880a4c-4880a56 10->11 12 4880b00-4880b28 10->12 13 4880a58-4880a5a 11->13 14 4880a64-4880a92 11->14 53 4880b2a call 22e05cf 12->53 54 4880b2a call 22e05f6 12->54 13->14 14->12 20 4880a94-4880a9e 14->20 17 4880b2f-4880b39 24 4880b3f-4880b55 17->24 25 4880b37-4880b3d 17->25 22 4880aac-4880ace 20->22 23 4880aa0-4880aa2 20->23 80 4880ad0 call 22e05cf 22->80 81 4880ad0 call 22e05f6 22->81 23->22 33 4880b5b-4880b6e 24->33 34 4880b53-4880b59 24->34 28 4880ba7-4880bac 25->28 41 4880b6c-4880b72 33->41 42 4880b74-4880b81 33->42 34->28 35 4880ad6 49 4880ad9 call 22e05cf 35->49 50 4880ad9 call 22e05f6 35->50 51 4880ad9 call 4883840 35->51 52 4880ad9 call 4883850 35->52 38 4880adf-4880aeb 41->28 45 4880b83-4880b85 42->45 46 4880b87-4880b89 42->46 45->28 47 4880b93-4880ba5 46->47 47->28 49->38 50->38 51->38 52->38 53->17 54->17 55->4 56->4 57->6 58->6 59->6 60->6 61->6 62->6 63->6 64->10 65->10 66->10 67->10 68->10 69->10 70->10 71->10 72->10 73->10 74->10 75->10 76->10 77->10 78->10 79->10 80->35 81->35
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: X1q$X1q$X1q$X1q
                                            • API String ID: 0-1201878573
                                            • Opcode ID: bf3070a2d18f08f96da2c0533db557fb11dc05b84c764ed713e675e19042c6db
                                            • Instruction ID: 77387a9e282e31185dbd865d92ffa51c40ce70947cb4a191ce529283472db6ef
                                            • Opcode Fuzzy Hash: bf3070a2d18f08f96da2c0533db557fb11dc05b84c764ed713e675e19042c6db
                                            • Instruction Fuzzy Hash: B2510831B44159DFCB14ABA4D854A6EB7F2FF85308F218AA9E446DB251DB34FC06CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488DF81 Relevance: 3.8, Strings: 3, Instructions: 87COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 82 488df81-488df8a 83 488df94-488e0ae 82->83
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @x$@x$@x
                                            • API String ID: 0-1403344416
                                            • Opcode ID: edd7bc5f6dbe93ed76fbcbd8b2016805b158963389b179abc68dd06bc1df3186
                                            • Instruction ID: 0e9c06e1ceb3d854a6db23c6ad31e84988366fa7ee424ccf56c277612f93fa50
                                            • Opcode Fuzzy Hash: edd7bc5f6dbe93ed76fbcbd8b2016805b158963389b179abc68dd06bc1df3186
                                            • Instruction Fuzzy Hash: 2C3129302006058FC756AB78975116A77E3BFC53447A4892CD0868F76AEE7AAC078B85
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B01F4 Relevance: 3.1, APIs: 2, Instructions: 99synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 108 49b01f4-49b01fe 109 49b01e8-49b01eb CreateMutexW 108->109 110 49b0200 108->110 117 49b01a5-49b01bb 109->117 112 49b021a-49b025c 110->112 113 49b0202-49b0219 110->113 115 49b025e-49b0266 FindCloseChangeNotification 112->115 116 49b029d-49b02a2 112->116 113->112 120 49b026c-49b027e 115->120 116->115 118 49b01ed-49b01f2 117->118 119 49b01bd-49b01e3 117->119 118->119 124 49b0280-49b029c 120->124 125 49b02a4-49b02a9 120->125 125->124
                                            APIs
                                            • CreateMutexW.KERNELBASE(?,?), ref: 049B019D
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 049B0264
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: ChangeCloseCreateFindMutexNotification
                                            • String ID:
                                            • API String ID: 2967213129-0
                                            • Opcode ID: e0eab3c554acfc79c2a0526b3da6b9933232945c53f0a8d715c9f644a075e7df
                                            • Instruction ID: 1449a91089379a0e11f8dcd850efe3a98560c2c4cb78646dee2f7c383b06d01b
                                            • Opcode Fuzzy Hash: e0eab3c554acfc79c2a0526b3da6b9933232945c53f0a8d715c9f644a075e7df
                                            • Instruction Fuzzy Hash: 6A31C3715053849FE711CF58D985B96BFA8FF46320F0884AFDD898F252D335A908CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048802E8 Relevance: 2.7, Strings: 2, Instructions: 205COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 127 48802e8-4880316 128 4880318-4880324 127->128 129 488032a-4880337 127->129 128->129 132 4880506-4880510 128->132 133 4880339-4880353 129->133 134 48803a5-48803d0 129->134 137 4880355 133->137 138 4880357 133->138 146 4880373-488038a 134->146 147 48803d2-48803dc 134->147 139 488035a-488036d 137->139 138->139 145 488051c-4880575 139->145 139->146 172 48805ef-488061e 145->172 173 4880577-48805b5 145->173 153 488038c 146->153 154 488038e 146->154 148 48803de-48803e5 147->148 149 48803ef 147->149 148->149 152 48803f6-4880413 149->152 158 48803f8-488040b 152->158 159 48804c2-48804df 152->159 155 4880391-48803a3 153->155 154->155 155->147 158->159 164 48804e1 159->164 165 48804e3 159->165 167 48804e6-48804fa 164->167 165->167 176 48804fb 167->176 181 4880623-488064b 172->181 176->176
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: `5q$hex
                                            • API String ID: 0-2535517398
                                            • Opcode ID: 04241860f1f9730d2fa015e8c987e76e3f80b4d5809b6bc73445b2a2fbbb5df0
                                            • Instruction ID: c2c726ccaa9f002433554efb7dcf3d983e054dbafec01353d6583eb47327e703
                                            • Opcode Fuzzy Hash: 04241860f1f9730d2fa015e8c987e76e3f80b4d5809b6bc73445b2a2fbbb5df0
                                            • Instruction Fuzzy Hash: E571C430B052058FCB09EB68C55466E7BF2BFCA304F15856DE546EB3A2DB35AC06CB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048821F8 Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 187 48821f8-4882212 224 4882217 call 22e05cf 187->224 225 4882217 call 22e05f6 187->225 189 488221d-4882270 196 488223c-4882274 189->196 202 488225e-4882281 196->202 203 4882283-4882285 196->203 205 4882288-488228c 202->205 203->205 206 488228e 205->206 207 4882295-4882299 205->207 206->207 209 48822a8-48822aa 207->209 210 488229b-48822a6 207->210 211 48822ad-48822ba 209->211 210->211 214 48822bc-48822ce 211->214 215 48822d0-48822d4 211->215 216 4882333-488233f 214->216 217 48822e6-488230d 215->217 218 48822d6-48822e4 215->218 222 488231f-488232c 217->222 223 488230f-488231d 217->223 218->216 222->216 223->216 224->189 225->189
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: nx$r*+
                                            • API String ID: 0-678835237
                                            • Opcode ID: 43920f13661f7d4946197bf9a3562e247753c18ddc49295e7bf2eb8cdfd52e16
                                            • Instruction ID: e1776cebfbbf0dd4c726702ec06c1bc91f831bfcc37cd6cc0dd4ac5ebe51542a
                                            • Opcode Fuzzy Hash: 43920f13661f7d4946197bf9a3562e247753c18ddc49295e7bf2eb8cdfd52e16
                                            • Instruction Fuzzy Hash: 6D410C30E08209DFCB44EBA9C5556AEBBF1FB44304F5089AED402E7261E735AA45DF52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04880007 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 226 4880007-4880080 249 4880082 call 22e05cf 226->249 250 4880082 call 22e05f6 226->250 229 4880088-4880141 249->229 250->229
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $lx$ix
                                            • API String ID: 0-890823160
                                            • Opcode ID: f7cb40bf1a8e2bb92376939489a00870fb0a724c219ac6315436e19ac3453039
                                            • Instruction ID: e154e0e691cf5063a9ab7f0a899afcf92728dda4793a137bc9ae8294ce02549e
                                            • Opcode Fuzzy Hash: f7cb40bf1a8e2bb92376939489a00870fb0a724c219ac6315436e19ac3453039
                                            • Instruction Fuzzy Hash: ED315E7024E3C6DFCB06AB7498684183FB1AF43205B5689AED085CB167E67C9C09DB17
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488DE19 Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 251 488de19-488de55 252 488de5c-488de67 call 488d7d8 251->252 253 488de57 251->253 254 488df29-488df30 252->254 257 488de6d-488deba 252->257 253->254 274 488de81 call 22e05cf 257->274 275 488de81 call 22e05f6 257->275 276 488de81 call 488df81 257->276 265 488de87-488de9c 267 488de9e-488ded1 265->267 268 488ded3-488def5 265->268 267->254 268->254 274->265 275->265 276->265
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0x$lq
                                            • API String ID: 0-477266894
                                            • Opcode ID: 089d22ca77b6a1e6d7bf606b1a7576b411613920859dac80b80531a033296892
                                            • Instruction ID: 58155557313104e76d283950118162a6a9168040d1920c7eede752bf8cda5cd4
                                            • Opcode Fuzzy Hash: 089d22ca77b6a1e6d7bf606b1a7576b411613920859dac80b80531a033296892
                                            • Instruction Fuzzy Hash: 8A21E230B04218CBCB15AB68D4003FEB7E2AB88305F104A2EE406EB785EB75AC46D790
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048812A0 Relevance: 1.7, Strings: 1, Instructions: 460COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 277 48812a0-48813f8 294 488139f-488140e 277->294 295 4881394-488139a 277->295 301 4881587-48815ba 294->301 302 48813d7-488154d 294->302 295->294 309 4881fac-4881fdc 301->309 310 48815c0-48815f4 301->310 315 48815f9-488160a 309->315 316 4881fe2-4881fe4 309->316 310->309 315->309 319 4881610 315->319 316->315 317 4881fea-488203b 316->317 391 488203c 317->391 321 4881669-4881698 319->321 322 48818e9-488191b 319->322 323 48819ba-48819ea 319->323 324 488181b-488184a 319->324 325 4881722-488174e 319->325 326 4881882-48818b1 319->326 327 4881953-4881982 319->327 328 48816c4-48816e8 319->328 329 48817c4-48817f4 319->329 330 4881775-488179d 319->330 331 4881617-4881642 319->331 359 488169a-488169e 321->359 360 48816a5-48816bf 321->360 367 4881928-488194e 322->367 368 488191d-4881921 322->368 373 48819ec-48819f0 323->373 374 48819f7-4881a1d 323->374 363 488184c-4881850 324->363 364 4881857-488187d 324->364 365 488175b-4881770 325->365 366 4881750-4881754 325->366 377 48818be-48818e4 326->377 378 48818b3-48818b7 326->378 361 488198f-48819b5 327->361 362 4881984-4881988 327->362 355 48816f0-48816fb 328->355 371 4881801-4881816 329->371 372 48817f6-48817fa 329->372 357 48817aa-48817bf 330->357 358 488179f-48817a3 330->358 369 488164f-4881664 331->369 370 4881644-4881648 331->370 375 4881708-488171d 355->375 376 48816fd-4881701 355->376 357->309 358->357 359->360 360->309 361->309 362->361 363->364 364->309 365->309 366->365 367->309 368->367 369->309 370->369 371->309 372->371 373->374 374->309 375->309 376->375 377->309 378->377 391->391
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $gq
                                            • API String ID: 0-815412418
                                            • Opcode ID: f5670bec49b57003deb3c6aa21da7b254f5e9bfa8b0a42aa92b40802c090dcb9
                                            • Instruction ID: b2283af91b716cc3359baca45b99a7f653007e6e9d77db76b2ee1c7c5f4b3a03
                                            • Opcode Fuzzy Hash: f5670bec49b57003deb3c6aa21da7b254f5e9bfa8b0a42aa92b40802c090dcb9
                                            • Instruction Fuzzy Hash: B622F234A00615CFCB24EF24C584A6AB7F2BF88304F50CA99D85ADB756DB38AD46CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B1BEC Relevance: 1.6, APIs: 1, Instructions: 122networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 392 49b1bec-49b1c3b 393 49b1c5d-49b1cea DnsQuery_A 392->393 394 49b1c3d-49b1c5c 392->394 399 49b1cf0-49b1d06 393->399 394->393
                                            APIs
                                            • DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 049B1CE2
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: Query_
                                            • String ID:
                                            • API String ID: 428220571-0
                                            • Opcode ID: f23bb70e24e3c400df21f7c49f0b0fdfec224b82d8ab8b5c15d74fa227bb3684
                                            • Instruction ID: 45a9cddd133476303ef7b370370e61dda789ea79094e03f1f27d293eb4862696
                                            • Opcode Fuzzy Hash: f23bb70e24e3c400df21f7c49f0b0fdfec224b82d8ab8b5c15d74fa227bb3684
                                            • Instruction Fuzzy Hash: 8A41246540E3C06FD3138B358C61A61BFB4EF47614B0E85DBD884CF5A3D229690AC7B2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B0736 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 400 49b0736-49b0745 401 49b0777-49b07d8 400->401 402 49b0747-49b0776 400->402 408 49b07da-49b07e2 GetTokenInformation 401->408 409 49b0825-49b082a 401->409 402->401 411 49b07e8-49b07fa 408->411 409->408 412 49b082c-49b0831 411->412 413 49b07fc-49b0822 411->413 412->413
                                            APIs
                                            • GetTokenInformation.KERNELBASE(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B07E0
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: InformationToken
                                            • String ID:
                                            • API String ID: 4114910276-0
                                            • Opcode ID: 40f766667f5a45f9ad7ddbc6f93ba863eff33da7ead96608646b51a52609907c
                                            • Instruction ID: f637b3317f6491e262741d12539e782b8fc4554c71347ea9e1f61b43cbdedf1d
                                            • Opcode Fuzzy Hash: 40f766667f5a45f9ad7ddbc6f93ba863eff33da7ead96608646b51a52609907c
                                            • Instruction Fuzzy Hash: E731A771505384AFEB228F65DD45FA7BFBCEF46310F0484AAE984DB153D225A508C7B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B0390 Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 416 49b0390-49b0456 421 49b049b-49b04a0 416->421 422 49b0458-49b046b RegQueryValueExA 416->422 421->422 423 49b046d-49b0498 422->423 424 49b04a2-49b04a7 422->424 424->423
                                            APIs
                                            • RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 049B045E
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: 1df49b60594121f9816c2d7319cb517dcb640c017c8acb2baf984231b691d661
                                            • Instruction ID: 2c89ba9c3bdcc512ef194dcc372777830fb3f6b3da4fedd784e318688e74914e
                                            • Opcode Fuzzy Hash: 1df49b60594121f9816c2d7319cb517dcb640c017c8acb2baf984231b691d661
                                            • Instruction Fuzzy Hash: 1E31E4710043846FE7228F24CC41FA6FFA8EF06314F04899EE9859B193D3A5A949CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B0D68 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 460 49b0d68-49b0de6 464 49b0deb-49b0df7 460->464 465 49b0de8 460->465 466 49b0df9 464->466 467 49b0dfc-49b0e05 464->467 465->464 466->467 468 49b0e07-49b0e2b CreateFileW 467->468 469 49b0e56-49b0e5b 467->469 472 49b0e5d-49b0e62 468->472 473 49b0e2d-49b0e53 468->473 469->468 472->473
                                            APIs
                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 049B0E0D
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 3f6a085e700038796824d46db6845ef335f7b34c59a185c0f5345e904146bbe4
                                            • Instruction ID: d50753b2233585feb1ca2ea3cbd0c78a2beb588d85b40fba3e2fe4f143fabe5a
                                            • Opcode Fuzzy Hash: 3f6a085e700038796824d46db6845ef335f7b34c59a185c0f5345e904146bbe4
                                            • Instruction Fuzzy Hash: 15318C71505384AFE722CF25CD44BA7BFE8EF45620F0884AAE9849B252D325F808CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077AA02 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 445 77aa02-77aa8d 449 77aa92-77aaa9 445->449 450 77aa8f 445->450 452 77aaeb-77aaf0 449->452 453 77aaab-77aabe RegOpenKeyExW 449->453 450->449 452->453 454 77aaf2-77aaf7 453->454 455 77aac0-77aae8 453->455 454->455
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0077AAB1
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: 03052f71164fbc0c12795befea55b6c9ae8f5c4431bc194d1ba9b611387991f2
                                            • Instruction ID: 71f1543549a3d4193b72f06c89e7d9867067682d83df92dbed565d32448c6885
                                            • Opcode Fuzzy Hash: 03052f71164fbc0c12795befea55b6c9ae8f5c4431bc194d1ba9b611387991f2
                                            • Instruction Fuzzy Hash: 6231D4724443846FE7228F25CD45FA7BFACEF46310F08C5AAED849B152D264E909CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B27E8 Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 476 49b27e8-49b287d 481 49b28ca-49b28cf 476->481 482 49b287f-49b2887 GetProcessTimes 476->482 481->482 484 49b288d-49b289f 482->484 485 49b28d1-49b28d6 484->485 486 49b28a1-49b28c7 484->486 485->486
                                            APIs
                                            • GetProcessTimes.KERNELBASE(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B2885
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: ProcessTimes
                                            • String ID:
                                            • API String ID: 1995159646-0
                                            • Opcode ID: 63e9175c2af133dbb281af9271825bb273d7012a8220d79ca97b5f23367753a4
                                            • Instruction ID: 99afedef4a179dda03a04421a25044aa526757364c052dcd53a541fac599804a
                                            • Opcode Fuzzy Hash: 63e9175c2af133dbb281af9271825bb273d7012a8220d79ca97b5f23367753a4
                                            • Instruction Fuzzy Hash: AA31E5724093806FEB128F24DD45BA6BFB8EF46310F0885EAE9859B153C324A809C7B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B2D47 Relevance: 1.6, APIs: 1, Instructions: 90windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 049B2E02
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: FormatMessage
                                            • String ID:
                                            • API String ID: 1306739567-0
                                            • Opcode ID: a803abdc07e6b40b6f73384d6064c516a535a10284d3a12529b97ef449561036
                                            • Instruction ID: 672366aad0f677116a1cf0857839e1873694e60731b704df88c5ebcd8807c7c9
                                            • Opcode Fuzzy Hash: a803abdc07e6b40b6f73384d6064c516a535a10284d3a12529b97ef449561036
                                            • Instruction Fuzzy Hash: 9E318F7540E3C45FD7138B258C61B56BFB4EF87710F1A80CBD8848F1A3E6256909C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B00F6 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateMutexW.KERNELBASE(?,?), ref: 049B019D
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID:
                                            • API String ID: 1964310414-0
                                            • Opcode ID: 40918980ea991528b156a40b9d04a1ac5b22bd1baf25f0efd8fc878e0f7751c2
                                            • Instruction ID: 77d0ec9065cb1962759f92f4c641ff5299319002a144cc00ebb9ff646948e05c
                                            • Opcode Fuzzy Hash: 40918980ea991528b156a40b9d04a1ac5b22bd1baf25f0efd8fc878e0f7751c2
                                            • Instruction Fuzzy Hash: C23181715097846FE722CF25DD85F96FFE8EF06310F0884AAE9848B292D365A908C761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077AAF9 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 0077ABB4
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: 8339bcb0e4776ae3c45c9091fdda4cbe59c8f1dbf90e308f204500f2874f2a79
                                            • Instruction ID: 8660b779102974c69af45dfb76ded3a1e704dde0102ba2b5cfbe8515e75c7229
                                            • Opcode Fuzzy Hash: 8339bcb0e4776ae3c45c9091fdda4cbe59c8f1dbf90e308f204500f2874f2a79
                                            • Instruction Fuzzy Hash: 5C31B5711093846FEB22CF25CC45F66BFACEF46710F08859AE9859B153D264E948CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B20DE Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 049B217B
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: DescriptorSecurity$ConvertString
                                            • String ID:
                                            • API String ID: 3907675253-0
                                            • Opcode ID: f5a845d54b22d7982246d81bc3ab423acb6ee8e13bbbe49dcbd31de92f5a586d
                                            • Instruction ID: 56386f387045698edc7b5e587b85d1721727fb7e385a6650818c97362cc066d0
                                            • Opcode Fuzzy Hash: f5a845d54b22d7982246d81bc3ab423acb6ee8e13bbbe49dcbd31de92f5a586d
                                            • Instruction Fuzzy Hash: 2A21B171504384AFE7228F69DD45FAABFACEF45310F0884AAED84DB142D324A908CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B237C Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: FileView
                                            • String ID:
                                            • API String ID: 3314676101-0
                                            • Opcode ID: 59ccc3a94a1cae628d75132d1111a6a46b0608d5fa409a9e508f9045851f348c
                                            • Instruction ID: b7a9e9550cb6b50be25059c4e61ff4146ed4037429e5006505546577f3e9edf6
                                            • Opcode Fuzzy Hash: 59ccc3a94a1cae628d75132d1111a6a46b0608d5fa409a9e508f9045851f348c
                                            • Instruction Fuzzy Hash: AC31C472404784AFE722CF19DD45F96FFF8EF06320F04859AE9849B252D365A509CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077AF50 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0077AFEA
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 986f4f57bb2d8f5430ad038ea93ed160897427a7313b0ea0a0f3e173c4ca9569
                                            • Instruction ID: d80ada5ead7867b276a577a48292b754a3cccc098af0e271fb90879595b5a987
                                            • Opcode Fuzzy Hash: 986f4f57bb2d8f5430ad038ea93ed160897427a7313b0ea0a0f3e173c4ca9569
                                            • Instruction Fuzzy Hash: 3F31827540E3C06FD7138B258C55B25BFB4EF87610F0A81DBE884DB5A3D229A919C7B2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B04AB Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B055C
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: 2395cb9cd3eba5fe499138eaa5f3ef6c7aec40b3dd811cf34d8b551cce8d8ccd
                                            • Instruction ID: 9b64b45fe7fef1ff6c7397e21fc193fabc6b9eb9c06e5b5b39e2d7e2fb6fba82
                                            • Opcode Fuzzy Hash: 2395cb9cd3eba5fe499138eaa5f3ef6c7aec40b3dd811cf34d8b551cce8d8ccd
                                            • Instruction Fuzzy Hash: 363180711097846FD722CB25DD85B92BFB8AF07710F0885EAE9859B5A3D364E808CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B02AB Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 049B0353
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: e1fef20aaf8bea2f2a2b5df670c8c72fca6b49ee25c69230cedd0060f6ca6dd0
                                            • Instruction ID: 0a87c38c3f01f51e133c4b42e12a658afe457d28994331a6580d8a2b4b14ee99
                                            • Opcode Fuzzy Hash: e1fef20aaf8bea2f2a2b5df670c8c72fca6b49ee25c69230cedd0060f6ca6dd0
                                            • Instruction Fuzzy Hash: 3E21A3750097806FE7228F24DD45FA6BFB8EF06310F0885DAE9849B193D265A949CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077A078 Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0077A10E
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: Startup
                                            • String ID:
                                            • API String ID: 724789610-0
                                            • Opcode ID: 6ef6bb7c7e37e6daccff80befcce8bf11b010513223c85ddf75aa8d9a6a33350
                                            • Instruction ID: 181ec69eaffc28f114823ad6171364f1abbde894ee24aea00de779a784f9f621
                                            • Opcode Fuzzy Hash: 6ef6bb7c7e37e6daccff80befcce8bf11b010513223c85ddf75aa8d9a6a33350
                                            • Instruction Fuzzy Hash: 5221C47140D3C06FD3128B258C55B66BFB4EF87620F1985DBDD84CF293D229A919CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B229A Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenFileMappingW.KERNELBASE(?,?), ref: 049B2325
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: FileMappingOpen
                                            • String ID:
                                            • API String ID: 1680863896-0
                                            • Opcode ID: 0574b6b8255b0f9afa91ccb450954bfbe42d7878c807c092971ac121e0f0a374
                                            • Instruction ID: 7aa01f1234f108800a8d5cb6177bf4ca541a437d2e48223b7108fba3c831e730
                                            • Opcode Fuzzy Hash: 0574b6b8255b0f9afa91ccb450954bfbe42d7878c807c092971ac121e0f0a374
                                            • Instruction Fuzzy Hash: 762180715093806FE722CF25CD45F66FFA8EF45610F0884AAE9859B252D365A508CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B1D0E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSASocketW.WS2_32(?,?,?,?,?), ref: 049B1D9A
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: Socket
                                            • String ID:
                                            • API String ID: 38366605-0
                                            • Opcode ID: 3765353e8357f730531795b80b2ac730b202eb47bed051dfed256216ea30883e
                                            • Instruction ID: ec0ca5931568069d24ae3b3232206c347885c53aee7962b321203443ff07bdc9
                                            • Opcode Fuzzy Hash: 3765353e8357f730531795b80b2ac730b202eb47bed051dfed256216ea30883e
                                            • Instruction Fuzzy Hash: 1221B171409380AFE722CF65DD45FA6FFB8EF45310F08849EE9859B252C375A508CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B0D8E Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 049B0E0D
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 4e1e23ba7b4b7ac23d23256225b82264c6e56754d074fe451080cfb12ce76750
                                            • Instruction ID: 106cdd1b0318312769d14b3e7d80934d9cd79be421eb48e83285f4e570933fc6
                                            • Opcode Fuzzy Hash: 4e1e23ba7b4b7ac23d23256225b82264c6e56754d074fe451080cfb12ce76750
                                            • Instruction Fuzzy Hash: D0217F71504244AFE721DF69CE45BA7FBE8EF04710F04886AE9859B252D371F404CBB5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B13CC Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteFileA.KERNELBASE(?,00000E2C), ref: 049B1463
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: DeleteFile
                                            • String ID:
                                            • API String ID: 4033686569-0
                                            • Opcode ID: 20bc8b0609a4e6186a42572892a2fa299ae0caecb0fc774f42abae3c31465ea2
                                            • Instruction ID: 53d881beddef0ed4fc4c17bfe99fe35039b84f0f5efeb95ed355b87800d8bcf2
                                            • Opcode Fuzzy Hash: 20bc8b0609a4e6186a42572892a2fa299ae0caecb0fc774f42abae3c31465ea2
                                            • Instruction Fuzzy Hash: B321F8711053806FE7228F25DD56BA6BFACDF42710F1880DAED849F192D365A849C7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B210A Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E2C), ref: 049B217B
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: DescriptorSecurity$ConvertString
                                            • String ID:
                                            • API String ID: 3907675253-0
                                            • Opcode ID: f76939775ea94bbe32719e12813089c188515852e763affbc1cab355872e1a6c
                                            • Instruction ID: 06a34c92eaacdd764eb00b62760b4d32bc540ae0f65ce916349b4003b1c67967
                                            • Opcode Fuzzy Hash: f76939775ea94bbe32719e12813089c188515852e763affbc1cab355872e1a6c
                                            • Instruction Fuzzy Hash: 1021D771500244AFEB21DF69DD49FAAFB9CEF44310F04886AED85DB242D674A5048BB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B03CA Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 049B045E
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: c94fc2086115ca16d8fd9706678e62f1367019a793d090fa67705bd0515bff70
                                            • Instruction ID: 8f407042f4180f3c0e60075528c54aa13038ec9d8c40ad26855352ac6e200da0
                                            • Opcode Fuzzy Hash: c94fc2086115ca16d8fd9706678e62f1367019a793d090fa67705bd0515bff70
                                            • Instruction Fuzzy Hash: FB21F571100204AEEB329F15CE45FB7FBACEF04710F04896AEE859B182D2B1A548CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B12ED Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegSetValueExW.KERNELBASE(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B1384
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: d5e968c4eb73dd6897f0317804702123e0cf28cffb6276a87adc6a95eb0b2f9c
                                            • Instruction ID: 8b7441c398df52a7981fdaecda79a6df729ec81071900b1aa7a7dff2b669b920
                                            • Opcode Fuzzy Hash: d5e968c4eb73dd6897f0317804702123e0cf28cffb6276a87adc6a95eb0b2f9c
                                            • Instruction Fuzzy Hash: 3C219272504780AFE7228F15CD45FA7BFACEF45710F0885AAED859B252D364E448CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B0F34 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            • setsockopt.WS2_32(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B0FC5
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: setsockopt
                                            • String ID:
                                            • API String ID: 3981526788-0
                                            • Opcode ID: b6711e64c8b8a1b13054c0a0634a74543a3ae7b469382a63cf472434b3197a0d
                                            • Instruction ID: 5f2fd47651ace1863ff250f6e8b199ab7435c7c20e608efd70d9a07f7a845dd9
                                            • Opcode Fuzzy Hash: b6711e64c8b8a1b13054c0a0634a74543a3ae7b469382a63cf472434b3197a0d
                                            • Instruction Fuzzy Hash: AC21B271409384AFE7228F24DD45F56BFB8EF46714F0884ABE9849B153C225A409CBB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077AA32 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0077AAB1
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: 8cad947c8cc18db84461ccb8c1ae50ddd5f40e62e952fea9460bbc5e53b9776a
                                            • Instruction ID: 8ffb944dc00bf26e952fcf4540db50732df0e230afebe090cf54fc26b9b8cdfb
                                            • Opcode Fuzzy Hash: 8cad947c8cc18db84461ccb8c1ae50ddd5f40e62e952fea9460bbc5e53b9776a
                                            • Instruction Fuzzy Hash: 86219F72500204AFFB229F19CE85F6AFBECEF44710F14C55AED459B242D664E908CBB6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B012A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateMutexW.KERNELBASE(?,?), ref: 049B019D
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID:
                                            • API String ID: 1964310414-0
                                            • Opcode ID: b6edec3ec7ffa18ccaf86c0066d0efc902119979db11ae4f10904beb69e1894c
                                            • Instruction ID: bf5b2619f860a00815705b44106497c0e54735d1ee40cca60fc5263817b4b14f
                                            • Opcode Fuzzy Hash: b6edec3ec7ffa18ccaf86c0066d0efc902119979db11ae4f10904beb69e1894c
                                            • Instruction Fuzzy Hash: 9721AF71500244AFE721DF29CE85FAAFBE8EF04310F04846AE9898B242D371F504CBB5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B0C97 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateDirectoryW.KERNELBASE(?,?), ref: 049B0D13
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: CreateDirectory
                                            • String ID:
                                            • API String ID: 4241100979-0
                                            • Opcode ID: 560cbd41e569ffde8cde1c8fb38bb658ae6c76edd3dc6d43dd820a49d0910f60
                                            • Instruction ID: 8b750c245a94f43bda2f319fb8d4c82075df109aed9f7a35e68d132647827eb1
                                            • Opcode Fuzzy Hash: 560cbd41e569ffde8cde1c8fb38bb658ae6c76edd3dc6d43dd820a49d0910f60
                                            • Instruction Fuzzy Hash: 242171715093809FD712CF25DD45B96BFA8EF46210F0984EAE988CF1A3D364E509CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B0E74 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileType.KERNELBASE(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B0EF9
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID:
                                            • API String ID: 3081899298-0
                                            • Opcode ID: b6fb2d0ffe7fa0a8265d6d8a329f27de7ba10213e7debbf517da1a771b63db81
                                            • Instruction ID: 2122061e54f3a573580655c7611ca9b81912433ce2038f45cabe8a7e757d079f
                                            • Opcode Fuzzy Hash: b6fb2d0ffe7fa0a8265d6d8a329f27de7ba10213e7debbf517da1a771b63db81
                                            • Instruction Fuzzy Hash: 2321D5715083C46FE7128B259D45FA3BFACDF46620F0880DBED859B153D264A808C7B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B0776 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTokenInformation.KERNELBASE(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B07E0
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: InformationToken
                                            • String ID:
                                            • API String ID: 4114910276-0
                                            • Opcode ID: 09b1078d45bb5402645b7b873bcb9b3b95351f062bec60b73706ce4aa58267fa
                                            • Instruction ID: 29a51cc5d49e9e720b0812e7a1dac54cf22a9e70ac8a8f6a2cbd7bafaa7c8e27
                                            • Opcode Fuzzy Hash: 09b1078d45bb5402645b7b873bcb9b3b95351f062bec60b73706ce4aa58267fa
                                            • Instruction Fuzzy Hash: 3611A271500244AFEB22CF65DE85FABFBACEF44320F14846AED85EB251D674A5048BB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077AB3A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 0077ABB4
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: ff2e357ab6f164753e9dad276a2dff8ceabff9057b554d14030c58b443734be7
                                            • Instruction ID: 04d438b7a9375ac1d53111f0938a4a469acdfa793c91e45c74deefc2806baa4e
                                            • Opcode Fuzzy Hash: ff2e357ab6f164753e9dad276a2dff8ceabff9057b554d14030c58b443734be7
                                            • Instruction Fuzzy Hash: D72181B1504204AFEB21CF15CD85F66FBECEF44750F14C56AED499B252D364E808CAB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B22BA Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenFileMappingW.KERNELBASE(?,?), ref: 049B2325
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: FileMappingOpen
                                            • String ID:
                                            • API String ID: 1680863896-0
                                            • Opcode ID: 422bda3305b5b65d97a72cbcebe199ae799226b8090508b140f6a1f2bfeccb09
                                            • Instruction ID: 0f447651a2d5b3b1b415534e9b139625b4526aa135438fe50c3bf120136df2ab
                                            • Opcode Fuzzy Hash: 422bda3305b5b65d97a72cbcebe199ae799226b8090508b140f6a1f2bfeccb09
                                            • Instruction Fuzzy Hash: D221A171504340AFE721DF29CE49BA6FBD8EF44720F1484AAED859B252D375B404CAB6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B18FC Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 049B1968
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: d064088c94cf4d8ebd9be94e311dfb957ba2e96bd98197fb64379db4c5007f42
                                            • Instruction ID: f054af366baabdc4b94cb8757dd7e40922d3bb4862e2bd41919aa0fa5ae3c576
                                            • Opcode Fuzzy Hash: d064088c94cf4d8ebd9be94e311dfb957ba2e96bd98197fb64379db4c5007f42
                                            • Instruction Fuzzy Hash: F921A17250A3C45FDB138F25DD55792BFA4AF47224F0980EAECC58F263D264A908CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B23BA Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: FileView
                                            • String ID:
                                            • API String ID: 3314676101-0
                                            • Opcode ID: c399cd2e96243bd381f32d742d3a40a6a66a434b4ff8d9b841dddf4fcd01419d
                                            • Instruction ID: f804cb7ae5d9d14f3e2793eebd5b465e20e10e462f99956fabc27e27e93fd832
                                            • Opcode Fuzzy Hash: c399cd2e96243bd381f32d742d3a40a6a66a434b4ff8d9b841dddf4fcd01419d
                                            • Instruction Fuzzy Hash: 5021CF71500244AFE722CF19CE89BA6FBE9EF08310F0484AEE9849B651D375B508CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B19B1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • K32EnumProcesses.KERNEL32(?,?,?,43BC978E,00000000,?,?,?,?,?,?,?,?,72733C38), ref: 049B1A22
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: EnumProcesses
                                            • String ID:
                                            • API String ID: 84517404-0
                                            • Opcode ID: 15de1c8abd3576c3570ba4b7a57845191ff05ced8834e9ab18ae1bace3fb8779
                                            • Instruction ID: 2de337a7f1f9aa77fae5e2c14a80f702b2ef69d24d98e5384c32c6274ed28ae2
                                            • Opcode Fuzzy Hash: 15de1c8abd3576c3570ba4b7a57845191ff05ced8834e9ab18ae1bace3fb8779
                                            • Instruction Fuzzy Hash: 78215E715093849FD712CF25DC95B92BFE8EF46220F0984EAE985CF163D264A908CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B1D2E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSASocketW.WS2_32(?,?,?,?,?), ref: 049B1D9A
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: Socket
                                            • String ID:
                                            • API String ID: 38366605-0
                                            • Opcode ID: d9908bc5c63223509766ddaac4d942c436fd6b6f4dbe6705b9b653ce221f4b37
                                            • Instruction ID: 6815153466800beb962a5ab5fcd5b85ca3597ffc9d21af90da69ea788036c223
                                            • Opcode Fuzzy Hash: d9908bc5c63223509766ddaac4d942c436fd6b6f4dbe6705b9b653ce221f4b37
                                            • Instruction Fuzzy Hash: 9121D171500240AFEB22DF69DE45BA6FBE8EF44310F04886EED859B252D371B404CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B04EA Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B055C
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: 83149679c04f2bab3a00519c0363500644e35297fbe9d7e85dfbbf05f94fa746
                                            • Instruction ID: 691cb07de5dbbfd252adff12613b467c8d9e9e35cd5e6aa8c12e48c065fad7ee
                                            • Opcode Fuzzy Hash: 83149679c04f2bab3a00519c0363500644e35297fbe9d7e85dfbbf05f94fa746
                                            • Instruction Fuzzy Hash: 73116D71500644AEEB21CE16DE85BA7FBECEF05710F04C56AED869B652D360F408CAB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B1312 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegSetValueExW.KERNELBASE(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B1384
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID:
                                            • API String ID: 3702945584-0
                                            • Opcode ID: 96cb789dad945b4c9e869659686a4e4883e188edf81182825c400eca5d7e4dc1
                                            • Instruction ID: 46e4d84d5468916d54a82045e03c385ce696a2ad682a91c8561adc3b1c3c1746
                                            • Opcode Fuzzy Hash: 96cb789dad945b4c9e869659686a4e4883e188edf81182825c400eca5d7e4dc1
                                            • Instruction Fuzzy Hash: 24118171600744AFE7219E15CE46FA7FBACEF44750F04856AEDC59B642E360F408CAB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B16C4 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 049B172E
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: c6aaf159b0f0e3218eb29796abe4559c155bc988291313fe2ee1874df53a7c79
                                            • Instruction ID: 9d87fb2a6d29bae9340e1a818a0896360b9b9681b9ef8af5bc591025de482986
                                            • Opcode Fuzzy Hash: c6aaf159b0f0e3218eb29796abe4559c155bc988291313fe2ee1874df53a7c79
                                            • Instruction Fuzzy Hash: 8A117F715053849FD721CF25DD85B96BFE8EF45220F0884AAED85CB252D234E808CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B1228 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CopyFileW.KERNELBASE(?,?,?), ref: 049B1292
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: CopyFile
                                            • String ID:
                                            • API String ID: 1304948518-0
                                            • Opcode ID: c6aaf159b0f0e3218eb29796abe4559c155bc988291313fe2ee1874df53a7c79
                                            • Instruction ID: 8582cad751d9798d8e866227686b956fe8b336e8dcb9e1cc89fed5ae5bd806c2
                                            • Opcode Fuzzy Hash: c6aaf159b0f0e3218eb29796abe4559c155bc988291313fe2ee1874df53a7c79
                                            • Instruction Fuzzy Hash: 631172715053849FD721CF25DD85B97BFE8EF45220F0884AAED85DB652D334E808CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B2826 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessTimes.KERNELBASE(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B2885
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: ProcessTimes
                                            • String ID:
                                            • API String ID: 1995159646-0
                                            • Opcode ID: c2e7390abf8b2ba00cf1434e536a8276157b5ded123ceb39d339158d13011a96
                                            • Instruction ID: 5e9c2372ebdd69b218c941be27f9e4fa1b73ccf1034989c91b005622c3afeb7d
                                            • Opcode Fuzzy Hash: c2e7390abf8b2ba00cf1434e536a8276157b5ded123ceb39d339158d13011a96
                                            • Instruction Fuzzy Hash: 8911E671500244AFEB22CF55DE49FA6FBACEF44320F1484AAED859B251D370A408CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B14A7 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 049B151A
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: KernelObjectSecurity
                                            • String ID:
                                            • API String ID: 3015937269-0
                                            • Opcode ID: e75276ef9d0f69b4642fec14478cbc55c3cb28338b523a68446c47b463b85a8b
                                            • Instruction ID: d760c17dd4dd8a674dc6e25af6e1a3678a69bed66d91705449031c2fa7de8db2
                                            • Opcode Fuzzy Hash: e75276ef9d0f69b4642fec14478cbc55c3cb28338b523a68446c47b463b85a8b
                                            • Instruction Fuzzy Hash: 282190751093C05FD7228F25DC55A92FFB8EF06214F0980EFED858B163D265A949CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B1556 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemInfo.KERNELBASE(?), ref: 049B15C0
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: InfoSystem
                                            • String ID:
                                            • API String ID: 31276548-0
                                            • Opcode ID: 033f71dcd3aa2e1ed8de766bf4f53c1a75188a9696105be1fa21c2d4df02ab80
                                            • Instruction ID: 8a0d0103f238738237d1d871df15721f526cc709ddb60d32f5c7fb12bb158394
                                            • Opcode Fuzzy Hash: 033f71dcd3aa2e1ed8de766bf4f53c1a75188a9696105be1fa21c2d4df02ab80
                                            • Instruction Fuzzy Hash: E5119D7140D3C49FDB128F25DC95692BFB4EF43224F1980EBDD858F153D269A909CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077A51F Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0077A58A
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: a54804788bffe66f972fff114af88d8cd1c63b288d182596707a0057dc293943
                                            • Instruction ID: 6e6fe2a8366003b33f391d09199fd059a51c77cd17a55bd22e613316bcedd2f1
                                            • Opcode Fuzzy Hash: a54804788bffe66f972fff114af88d8cd1c63b288d182596707a0057dc293943
                                            • Instruction Fuzzy Hash: A4117571409384AFDB228F55DC44A52FFF4EF4A320F08859EED858B153C375A418DB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077B7CA Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,?,?,?), ref: 0077B841
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: 23ef9f627f750082459aec2f4cd8d5f1745a74cfac995e649167aeeb0f384802
                                            • Instruction ID: b717ae252d3c00eccafbe818136b58336798b732e40c9a9ea5560c7c870ee606
                                            • Opcode Fuzzy Hash: 23ef9f627f750082459aec2f4cd8d5f1745a74cfac995e649167aeeb0f384802
                                            • Instruction Fuzzy Hash: C6216D714097C49FDB228B21DC50A92BFB4AF1A324F0984DAE9C44F163D265A958DB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B02DE Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 049B0353
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: fab7578e71faeac04a7dfa826e0dee7e6eaa99ddf7851a9794b63d0c7b4a9898
                                            • Instruction ID: b8d500de7c5f7a19c9de9470f0a17dd624071cac16b5b753369efcf705d8f60c
                                            • Opcode Fuzzy Hash: fab7578e71faeac04a7dfa826e0dee7e6eaa99ddf7851a9794b63d0c7b4a9898
                                            • Instruction Fuzzy Hash: A911B231100740AFEB229F15DE85FA6FBA8EF04710F1485AAED855B252D275B508CBB5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B13FA Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DeleteFileA.KERNELBASE(?,00000E2C), ref: 049B1463
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: DeleteFile
                                            • String ID:
                                            • API String ID: 4033686569-0
                                            • Opcode ID: b0b4df457bde8584e07ea2b5e8e3ae76aef6a326ca47be43dc90188f7d76c38e
                                            • Instruction ID: ee308478689efbf49dbfd7b2e00be747da9d627b1cc80a2e89a343cd66553fd8
                                            • Opcode Fuzzy Hash: b0b4df457bde8584e07ea2b5e8e3ae76aef6a326ca47be43dc90188f7d76c38e
                                            • Instruction Fuzzy Hash: 7A110671600240AFF721DF19DE86BB6FB9CDF44720F14846AED859B282D2B4B9048AB5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B0F66 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • setsockopt.WS2_32(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B0FC5
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: setsockopt
                                            • String ID:
                                            • API String ID: 3981526788-0
                                            • Opcode ID: bc1449c1c2152e9c03b5f7ff236e0573bbd8210cd99723d2428bf792f3bed861
                                            • Instruction ID: eeb7abcb83de7f340c404ecea6fb34fc1d0c1e69ac38733a40b1ab559794630e
                                            • Opcode Fuzzy Hash: bc1449c1c2152e9c03b5f7ff236e0573bbd8210cd99723d2428bf792f3bed861
                                            • Instruction Fuzzy Hash: 5F110431500244AFEB22CF55DE45FA6FBA8EF44720F14846AED849B212D370B408CBB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077BB4F Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0077BBB9
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: e0dac58a4111e59df04e3ea60d0e5a15891d79434f66b735a2bf89f9f378a1e4
                                            • Instruction ID: c2966b01193e20c3bdebd35156e44658db3b8e6453edfda9e595aefeda98547f
                                            • Opcode Fuzzy Hash: e0dac58a4111e59df04e3ea60d0e5a15891d79434f66b735a2bf89f9f378a1e4
                                            • Instruction Fuzzy Hash: 7E11D0754093C0AFDB228F25CC45B52FFB4EF16220F0885EEED858B563D365A858CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077BE05 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DispatchMessageW.USER32(?), ref: 0077BE70
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: DispatchMessage
                                            • String ID:
                                            • API String ID: 2061451462-0
                                            • Opcode ID: 478605aa2fb4368bca5f168da73769b51a30693868b832621d4e9e4b4ea798f0
                                            • Instruction ID: 2016f38cb9112296bdb23c85cad3bc6f789ffeecb9a7fea1fecca585d68ed347
                                            • Opcode Fuzzy Hash: 478605aa2fb4368bca5f168da73769b51a30693868b832621d4e9e4b4ea798f0
                                            • Instruction Fuzzy Hash: D5117C754093C4AFDB238B259C44B61BFB4EF47624F0984DEED848F263D2696808CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077B71E Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateIconFromResourceEx.USER32 ref: 0077B78A
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: cab832a966b081a6ec91045a5bd3baaeee04d4908d7c64e798ce257927ef0dec
                                            • Instruction ID: cfc0bb988a222d880a5b853f6e3afbd1a013a145ae18f7ea6cd0f315d9430e73
                                            • Opcode Fuzzy Hash: cab832a966b081a6ec91045a5bd3baaeee04d4908d7c64e798ce257927ef0dec
                                            • Instruction Fuzzy Hash: 23116031409384AFDB228F55DC44B52FFF4FF49320F09859EE9898B562C379A458CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077BEB4 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetCurrentDirectoryW.KERNELBASE(?), ref: 0077BF0C
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: CurrentDirectory
                                            • String ID:
                                            • API String ID: 1611563598-0
                                            • Opcode ID: acbc8400e85900c7a28d5bcb4309ee9fe1ab8111db203e464cb8f8833d4ac516
                                            • Instruction ID: b4185ae20c02781ec8c9d2eece9d55b1525e7239ba9124981233e7d9f48aea7b
                                            • Opcode Fuzzy Hash: acbc8400e85900c7a28d5bcb4309ee9fe1ab8111db203e464cb8f8833d4ac516
                                            • Instruction Fuzzy Hash: 2D114F715053849FDB21CF25DC85B56BFA8EF45620F0884AAED49CF252D378E848CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077A75B Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 2783878cf2c62423c40617f5d54f907ae67579e86c4a4132b5057aeda91cb2a5
                                            • Instruction ID: f61f5cfae9b1d51225667ab39fe16ab3273336ad4881c35b9166c0709298aadb
                                            • Opcode Fuzzy Hash: 2783878cf2c62423c40617f5d54f907ae67579e86c4a4132b5057aeda91cb2a5
                                            • Instruction Fuzzy Hash: A51190714493C4AFDB128F14DC44756BFB4EF46224F1884DBED888F253D2799448CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B16E6 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 049B172E
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 2c4b5f5d8831bd14778ca86afe5ebad148c12b361cf7a5985c03324950532985
                                            • Instruction ID: 2c48425c627743371b5850bd75213d1ef91fb18cb924d951c824de6720572ff9
                                            • Opcode Fuzzy Hash: 2c4b5f5d8831bd14778ca86afe5ebad148c12b361cf7a5985c03324950532985
                                            • Instruction Fuzzy Hash: 0011A5716002408FD711CF29DA85796FBD8EF84660F08C4BADD89CB242D234E404CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B124A Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CopyFileW.KERNELBASE(?,?,?), ref: 049B1292
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: CopyFile
                                            • String ID:
                                            • API String ID: 1304948518-0
                                            • Opcode ID: 2c4b5f5d8831bd14778ca86afe5ebad148c12b361cf7a5985c03324950532985
                                            • Instruction ID: 7bce5c4a1c294e015ae46a2001029254b1597b8ba9f4c950d0baabc5ac036ac7
                                            • Opcode Fuzzy Hash: 2c4b5f5d8831bd14778ca86afe5ebad148c12b361cf7a5985c03324950532985
                                            • Instruction Fuzzy Hash: 4E118E71A002449FEB21CF29DA85796FBD8EF44220F08C47ADD89CB642E334E404CBB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B0EA6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileType.KERNELBASE(?,00000E2C,43BC978E,00000000,00000000,00000000,00000000), ref: 049B0EF9
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID:
                                            • API String ID: 3081899298-0
                                            • Opcode ID: c68079a1029c3aa6c0dc2052cefabb98af74aaf781d5e0b84acd65bdb13f525d
                                            • Instruction ID: bff6348d808cf5efd41464288331762da08d593d39a067d41f7dbe8e4c592ce6
                                            • Opcode Fuzzy Hash: c68079a1029c3aa6c0dc2052cefabb98af74aaf781d5e0b84acd65bdb13f525d
                                            • Instruction Fuzzy Hash: B5012671540244AFE711CF15DF89BA7FB9CEF44720F14C4AAED84AB242D374B4088AB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B0CCE Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateDirectoryW.KERNELBASE(?,?), ref: 049B0D13
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: CreateDirectory
                                            • String ID:
                                            • API String ID: 4241100979-0
                                            • Opcode ID: 361046c14a252f2cc6cd54920b0181210c7f363f4a9aadd7afda9560e165936e
                                            • Instruction ID: 0bd8cd510bd121619db61d29c890cdc621088584ce01b83b5087d4d9f27354ae
                                            • Opcode Fuzzy Hash: 361046c14a252f2cc6cd54920b0181210c7f363f4a9aadd7afda9560e165936e
                                            • Instruction Fuzzy Hash: 1F115E716012449FDB11CF29DA857A6FBD8EF84620F08C4BADD89CB256E774F404CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B19E2 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • K32EnumProcesses.KERNEL32(?,?,?,43BC978E,00000000,?,?,?,?,?,?,?,?,72733C38), ref: 049B1A22
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: EnumProcesses
                                            • String ID:
                                            • API String ID: 84517404-0
                                            • Opcode ID: e29e05ae25ee1a2764dbff55e86d50c46db6e32a7b32d9e0cb64dd5c42eb1d27
                                            • Instruction ID: 9e645b497c0cb74d0054088bd2b4e97ef6b3dce9a56d1f35681a72c968106276
                                            • Opcode Fuzzy Hash: e29e05ae25ee1a2764dbff55e86d50c46db6e32a7b32d9e0cb64dd5c42eb1d27
                                            • Instruction Fuzzy Hash: 6611A1316002448FDB11CF25DA85796FBE8EF44220F08C5BADD89CB212D370F404CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077A8CC Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,?,?), ref: 0077A926
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: 9cddb1a7c7fc7ae8070b215919fa44a70a3d43e12de2779355ff5966609deb2b
                                            • Instruction ID: edbd57d60f7c84351ab61a2b5e04d046c622da707fceb61ba6a4860b976404da
                                            • Opcode Fuzzy Hash: 9cddb1a7c7fc7ae8070b215919fa44a70a3d43e12de2779355ff5966609deb2b
                                            • Instruction Fuzzy Hash: 111173314097849FD7228F55DC85A52FFB4EF56220F09C59ADD854B163C375A818CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B2DB2 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 049B2E02
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: FormatMessage
                                            • String ID:
                                            • API String ID: 1306739567-0
                                            • Opcode ID: 9897abe35e1484fec52bebf2c4ccecd79ef45f4c78819556a4e6125cb542886b
                                            • Instruction ID: 460d3e72dbf0f5f4f3e9a64ea99344b3b14d5d92ed7a4645e5d77f6bb5c6e6e9
                                            • Opcode Fuzzy Hash: 9897abe35e1484fec52bebf2c4ccecd79ef45f4c78819556a4e6125cb542886b
                                            • Instruction Fuzzy Hash: 44017175500204ABD750DF1ADC85B26FBA8EB88B20F14C56AED089B641D731B515CBE5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077BED2 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetCurrentDirectoryW.KERNELBASE(?), ref: 0077BF0C
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: CurrentDirectory
                                            • String ID:
                                            • API String ID: 1611563598-0
                                            • Opcode ID: 928779ccc08ee401fee212a09a4e2e6f016b84d4fc165fe40a9e0e8b7843d1b5
                                            • Instruction ID: ca73b5b0cdf4415c3e2e404144d93002065d26df1f819a695557f639580787f5
                                            • Opcode Fuzzy Hash: 928779ccc08ee401fee212a09a4e2e6f016b84d4fc165fe40a9e0e8b7843d1b5
                                            • Instruction Fuzzy Hash: FB019E716002409FDB21CF29DD847A6FB98EF40720F18C0AADD49CB646D378E808CF62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077A0BE Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0077A10E
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: Startup
                                            • String ID:
                                            • API String ID: 724789610-0
                                            • Opcode ID: e211adb1025e8025b4880f39f9f237ead5f6245bf6b64cd315ab96b9810338c9
                                            • Instruction ID: 5b68682e24904b853987ab780bc918b0ab30662aadde0fd5747462aabcd60504
                                            • Opcode Fuzzy Hash: e211adb1025e8025b4880f39f9f237ead5f6245bf6b64cd315ab96b9810338c9
                                            • Instruction Fuzzy Hash: 8101B171500204ABD710DF1ADC81B26FBA8EB88A20F14C16AED089B641D731B515CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B14DA Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 049B151A
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: KernelObjectSecurity
                                            • String ID:
                                            • API String ID: 3015937269-0
                                            • Opcode ID: cb838fdab4aeb0ad65fe5185f1198b56aeb08b2446946582c271a0169b44c1c9
                                            • Instruction ID: 0a922f2662fe2c31d914c98c955b0dee3e09da42cdfb70da769eb69621d8a56d
                                            • Opcode Fuzzy Hash: cb838fdab4aeb0ad65fe5185f1198b56aeb08b2446946582c271a0169b44c1c9
                                            • Instruction Fuzzy Hash: CE0180756042408FDB21CF59D985BA6FBE8EF04620F08C4BADD868B656D370E408CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077A546 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0077A58A
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 322cc4756cd53e5ed0155847410f25097a39e8829693c1cfadc868b54e0a1fc1
                                            • Instruction ID: 2e3ac368e35d2080eba93bf252677eaa6874a5658dd96e0804cc0eab075e7c7b
                                            • Opcode Fuzzy Hash: 322cc4756cd53e5ed0155847410f25097a39e8829693c1cfadc868b54e0a1fc1
                                            • Instruction Fuzzy Hash: 13016D31400744AFEB228F55D944B56FFE4EF88720F18C5AADE894B612C375A428DF62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077B746 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateIconFromResourceEx.USER32 ref: 0077B78A
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: fe9109abf8d9fdfca811716d164f7e554b40cc57c40d8e5de7fc50fb3c4f6e9b
                                            • Instruction ID: ff40704771f9fd6d91b47ece7995fbc5ecf5e161804cba42ed57210743f687ca
                                            • Opcode Fuzzy Hash: fe9109abf8d9fdfca811716d164f7e554b40cc57c40d8e5de7fc50fb3c4f6e9b
                                            • Instruction Fuzzy Hash: 5A016D314006449FDB228F55D984B56FFE4EF48720F18C5AEDE894B622D375A418DFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B1C92 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 049B1CE2
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: Query_
                                            • String ID:
                                            • API String ID: 428220571-0
                                            • Opcode ID: da7523a67b85f3a6140bada65688a03562368de2bb3589eaa68cd9ac50d74073
                                            • Instruction ID: 066384641c1fccf1ae1c11e4736c435964e48887fe24c77565051feb56096c0c
                                            • Opcode Fuzzy Hash: da7523a67b85f3a6140bada65688a03562368de2bb3589eaa68cd9ac50d74073
                                            • Instruction Fuzzy Hash: 5E014B75500604ABD250DF1ADC86B26FBA8EB88B20F14C16AED085B641E771B915CAA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B0232 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 049B0264
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: 77be1d2a21e252cf2c8b41dc620d7b5e32e92d852884534068936fa639e7074a
                                            • Instruction ID: d3ced4c52c023ccc239ae350fff4054c3b589987f41560d15d52729d510b88b4
                                            • Opcode Fuzzy Hash: 77be1d2a21e252cf2c8b41dc620d7b5e32e92d852884534068936fa639e7074a
                                            • Instruction Fuzzy Hash: 9601A7759042449FDB11CF15DA89796FB94EF44320F08C4BBDD898F652D275E448CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 049B1936 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 049B1968
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560488641.00000000049B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_49b0000_host process.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: 2ce8ec9e61a644a8ac2e702b3adbf031a170f3ba86d1f5c139f86cfe2ae2912f
                                            • Instruction ID: 7615fa12ade3fc8d839816fafa5c46e875d1a4d1d22ed8460162353d15447af2
                                            • Opcode Fuzzy Hash: 2ce8ec9e61a644a8ac2e702b3adbf031a170f3ba86d1f5c139f86cfe2ae2912f
                                            • Instruction Fuzzy Hash: B601D4759042848FD711CF19EA85796FB98EF80220F08C4BBDD898F606D274A508CBB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077AF9A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0077AFEA
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: ee8bb1390980c85a4930c12317365d86aba3a14c0c3c46b533d99ecd4438e991
                                            • Instruction ID: b4b699f9147c6ceb8e43cd1e97f6229462c73c3c0328a7fb03a3b3c2c040ef41
                                            • Opcode Fuzzy Hash: ee8bb1390980c85a4930c12317365d86aba3a14c0c3c46b533d99ecd4438e991
                                            • Instruction Fuzzy Hash: EF01AD75500204ABD250DF1ADC82B26FBE8FB88B20F14C16AED085B741E731F915CBE6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077BB7E Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 0077BBB9
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 017a47128dbf6bf302c9e75b6d5280950c91fb970ae6cae5bdeaf2c8c6fecbfe
                                            • Instruction ID: 822ff986f0c9289bb4e28cbd4b643a4426ef8f7e48329fa04aab2797702a669d
                                            • Opcode Fuzzy Hash: 017a47128dbf6bf302c9e75b6d5280950c91fb970ae6cae5bdeaf2c8c6fecbfe
                                            • Instruction Fuzzy Hash: 2B01BC755042808FDB218F56D984B66FBA4EF14320F08C0AEDD4A8B626C375A418DB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077A78A Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 191b7993936c31858031b336786fa86d27d332ff9f32f7ddd265b0d1f8fc9f4c
                                            • Instruction ID: d199517073110c8f6563334f0090286629f4aaed75bacfd5701a4087eeb49d49
                                            • Opcode Fuzzy Hash: 191b7993936c31858031b336786fa86d27d332ff9f32f7ddd265b0d1f8fc9f4c
                                            • Instruction Fuzzy Hash: 9301AD74804284AFEB11CF15D988769FBE4EF84321F18C4AADD488F602D278A408CBA3
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077B806 Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SendMessageW.USER32(?,?,?,?), ref: 0077B841
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID:
                                            • API String ID: 3850602802-0
                                            • Opcode ID: e5bbb94427805e26d0daba6269d3cfcfa9dc7b333eacf0d387f526cabb03988d
                                            • Instruction ID: db7075878bc9d809ea2a2296732b4a9340e9ddbf01fe19438db9c18686ae27e9
                                            • Opcode Fuzzy Hash: e5bbb94427805e26d0daba6269d3cfcfa9dc7b333eacf0d387f526cabb03988d
                                            • Instruction Fuzzy Hash: 34018B318002849FDB218F16D984B65FFA4EF18724F08C49EED894B622D379A418DBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077A8EE Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetWindowLongW.USER32(?,?,?), ref: 0077A926
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: LongWindow
                                            • String ID:
                                            • API String ID: 1378638983-0
                                            • Opcode ID: f1835ff8f815b59d13990f4e819e2e5cdeba96eda38379340f39e14cefee8b66
                                            • Instruction ID: 231fb95b1325c25d92eddb9f85b312d3f349ae6e01f63b3515140c27b519d707
                                            • Opcode Fuzzy Hash: f1835ff8f815b59d13990f4e819e2e5cdeba96eda38379340f39e14cefee8b66
                                            • Instruction Fuzzy Hash: 1701AD31800684AFEB218F05D985756FFA4EF44720F08C4AADE8A4B652C379A818DF73
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077A372 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(?), ref: 0077A3A4
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: e3614137395812f2155b9717a385fbb14df354302d4e3740d6d22ae52a3d14f2
                                            • Instruction ID: 869f4b42582960aff78c10ff0cc6f2c996ecd5df621204b80b11c24685797cd2
                                            • Opcode Fuzzy Hash: e3614137395812f2155b9717a385fbb14df354302d4e3740d6d22ae52a3d14f2
                                            • Instruction Fuzzy Hash: 15F0AF34404384EFEB21CF15D988769FFA4EF84725F18C1AADD494B652D379A408CEA3
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0077BE3E Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DispatchMessageW.USER32(?), ref: 0077BE70
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559066144.000000000077A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0077A000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_77a000_host process.jbxd
                                            Similarity
                                            • API ID: DispatchMessage
                                            • String ID:
                                            • API String ID: 2061451462-0
                                            • Opcode ID: e3614137395812f2155b9717a385fbb14df354302d4e3740d6d22ae52a3d14f2
                                            • Instruction ID: fef0202446c83ca5fd667d8d81c0af686a533ba2ebd22102d84d7cb0f06a900b
                                            • Opcode Fuzzy Hash: e3614137395812f2155b9717a385fbb14df354302d4e3740d6d22ae52a3d14f2
                                            • Instruction Fuzzy Hash: 43F0AF358042848FDB21CF15D9887A1FFA4EF44725F18C4AADE494B312D3B9A408CAA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048892E8 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 92805280d41bf5a6c6385148a9de938f7efaff77aba583b0684e25e645bd2b97
                                            • Instruction ID: 95e34f97fd8bd1b66d4d77fa92b7d82d8843d37cd04e7e7ae77dcecf14fc7c9d
                                            • Opcode Fuzzy Hash: 92805280d41bf5a6c6385148a9de938f7efaff77aba583b0684e25e645bd2b97
                                            • Instruction Fuzzy Hash: 0341E6B0F04109CFCB00EFA9C8805BE77B2EFC4218B65CE6AD459DB654E235E8038B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04882D58 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 2fa720515cf04c0f8afef1d108d076722794b617fe6c34cb0ab366e4ef869779
                                            • Instruction ID: f76b343976a7c2351d4d41d61b3e7ea5634129ddf6f52aa807f0d5757838e2d0
                                            • Opcode Fuzzy Hash: 2fa720515cf04c0f8afef1d108d076722794b617fe6c34cb0ab366e4ef869779
                                            • Instruction Fuzzy Hash: D441C530F04159DBCB10EF65C8845BEBBA2BBC0319B28CEBED516DB646D235F8428B45
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04880BC0 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: hXMr
                                            • API String ID: 0-1185242784
                                            • Opcode ID: 239b4ba3d315da8b1ea5b792fdc3d3b0bf3e4783b18fefeec5f324c6bc623deb
                                            • Instruction ID: 459f570ae35899779433c4ebe8378c6f031a6a18b3f27e2265f913efe2763cae
                                            • Opcode Fuzzy Hash: 239b4ba3d315da8b1ea5b792fdc3d3b0bf3e4783b18fefeec5f324c6bc623deb
                                            • Instruction Fuzzy Hash: 04412831B05118CFC7159F68C4146AE77E7AFC6314F16856EE80ADF361DEB2AC0A8792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04880682 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: }x
                                            • API String ID: 0-54747463
                                            • Opcode ID: bb2eccda0dfc9be67bf02ddac424bbd44d198724097855d1ec09394f4786a0ea
                                            • Instruction ID: 3ea69434c364f6dfd99118a5258daa2624cd827e9ebca95f65f792c6b7e00182
                                            • Opcode Fuzzy Hash: bb2eccda0dfc9be67bf02ddac424bbd44d198724097855d1ec09394f4786a0ea
                                            • Instruction Fuzzy Hash: 0B415B316882458BCB097B34EC5D56D3B62BF81302775C969F003CB2B6DF698C06DBA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04881458 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $gq
                                            • API String ID: 0-815412418
                                            • Opcode ID: 592b7af5e2139cb5712dc82ccf2e27f3bb38dd6e6ff6ca4685708b307a2987f6
                                            • Instruction ID: bb4bbc53b4aeff8d72a4ff96f37da3346bb6343165404e9b3e68e201b9b0f6c1
                                            • Opcode Fuzzy Hash: 592b7af5e2139cb5712dc82ccf2e27f3bb38dd6e6ff6ca4685708b307a2987f6
                                            • Instruction Fuzzy Hash: 8A51F434A01219CFDB14EF64C898B9CB7B2BF48304F5085A9D40AAB366DB78AD85CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048802DA Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: hex
                                            • API String ID: 0-4291896678
                                            • Opcode ID: 48a2bf3e1560b1f3271e53e58ea712e0d37b33f67281028c3f3f2d4f14796141
                                            • Instruction ID: ae856730d7562a448593845e0ec2b7a49e8b4f2379b971c893a6769f51fc2a88
                                            • Opcode Fuzzy Hash: 48a2bf3e1560b1f3271e53e58ea712e0d37b33f67281028c3f3f2d4f14796141
                                            • Instruction Fuzzy Hash: 22418F30B002059FDB54EB68C194BAE7BB2EF8A314F15496CD506EB3A2DB35AC44CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04881292 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $gq
                                            • API String ID: 0-815412418
                                            • Opcode ID: 9c7ace24ff84ba2c7f0403663e679b0fb6e7692ee9881553f118bb63776a565c
                                            • Instruction ID: e7fa056a5adc4ca6b7cbd6ad3c235f1f87007acf5e4bd5063e8200c40da4e3ff
                                            • Opcode Fuzzy Hash: 9c7ace24ff84ba2c7f0403663e679b0fb6e7692ee9881553f118bb63776a565c
                                            • Instruction Fuzzy Hash: B6412830A04259DFCB54EB68C898B9DBBB1BF49344F404599D44AEB352DB34AD81CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04888790 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: r*+
                                            • API String ID: 0-3221063712
                                            • Opcode ID: 6cb253746f517725146411d91ea483f2baef3510e24852a5f6e482b68aee3d96
                                            • Instruction ID: faed19067375189792f2d02acb315dbfbb530530478140c3923345ce7f8314b9
                                            • Opcode Fuzzy Hash: 6cb253746f517725146411d91ea483f2baef3510e24852a5f6e482b68aee3d96
                                            • Instruction Fuzzy Hash: F9414830E0420DDFDB44FBA9C5456AEBBB1FF44345F508A6AD802E7261E738AA41EB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048850D0 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: d@Lr
                                            • API String ID: 0-123544209
                                            • Opcode ID: 00fb4ed523d0f0484fa9bebd8130e23614f9af5255b7bff2c385dd38bb48a4e3
                                            • Instruction ID: 63d3315e7f2a76d6d1bf9d9c9a3d14a8a18e134474f67a06125d6004a65c0b98
                                            • Opcode Fuzzy Hash: 00fb4ed523d0f0484fa9bebd8130e23614f9af5255b7bff2c385dd38bb48a4e3
                                            • Instruction Fuzzy Hash: 24319134A003499FDF05DFA9C8546EEBBF2AFC4304F548929D406EB351EB74A945CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048850E0 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: d@Lr
                                            • API String ID: 0-123544209
                                            • Opcode ID: 9b8b6f1a43f90f281554e68bcb39af7eb44fae74ac2f887a0e8be8e3a2c2269f
                                            • Instruction ID: 07ec71cff0da55f6dfe8336499c7a2a13dab514749204edc0c944fd504d8b735
                                            • Opcode Fuzzy Hash: 9b8b6f1a43f90f281554e68bcb39af7eb44fae74ac2f887a0e8be8e3a2c2269f
                                            • Instruction Fuzzy Hash: 56216235A003099FDF05EFA9C81469EFBF6AFC8304F508929D406EB355EB74A945CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048805BA Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8$q
                                            • API String ID: 0-2903697390
                                            • Opcode ID: ab6d1e89cb2cf5212f2745b00c800bdeb81a288a207bcb796d7b5bfe0ec29e47
                                            • Instruction ID: 5b84cc047ceac8386bf783f760c63b50bb11397d93571e6d3be0b78aec4e21c4
                                            • Opcode Fuzzy Hash: ab6d1e89cb2cf5212f2745b00c800bdeb81a288a207bcb796d7b5bfe0ec29e47
                                            • Instruction Fuzzy Hash: 4C01F4607051284FC60A733D655217E268B5FC6A42B28443EF006EB3AADD7D6C0783E6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04887510 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Huq
                                            • API String ID: 0-1435254529
                                            • Opcode ID: 3590f37a19d6bad0a14534096a9ea7f0d7b1a8753db617754fe146b0f4370f29
                                            • Instruction ID: 07c4cf577fb01729fadc649b503526594c49e8ae3c7f19fc46ddc9fc9f8765cd
                                            • Opcode Fuzzy Hash: 3590f37a19d6bad0a14534096a9ea7f0d7b1a8753db617754fe146b0f4370f29
                                            • Instruction Fuzzy Hash: 79F0783270814447CB11277D1C946AC6F52ABC6270338876DE01EDF3D2EE185D038372
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488A1BF Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Huq
                                            • API String ID: 0-1435254529
                                            • Opcode ID: 362231143c9e79df5abdb91ea5441bf36be7ec8fb8df25a3e00ddfee0624434c
                                            • Instruction ID: e5460b394351fdd2eabfd669562d3e8d8779cdaa509d0101e4af161502d322e5
                                            • Opcode Fuzzy Hash: 362231143c9e79df5abdb91ea5441bf36be7ec8fb8df25a3e00ddfee0624434c
                                            • Instruction Fuzzy Hash: F9F044307081885BC729777C5A9457C6F82ABC62303688B6FE01ACF2E2DE2A1C028361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048805C8 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8$q
                                            • API String ID: 0-2903697390
                                            • Opcode ID: e6f17b2e6dcc6293cd1dbdfdf36642d9754144cfce0ff31bff34e87325dc53c9
                                            • Instruction ID: f9e6de176d6df0e483122039f1835f02107c614032f9fb7daf64c5d391df569e
                                            • Opcode Fuzzy Hash: e6f17b2e6dcc6293cd1dbdfdf36642d9754144cfce0ff31bff34e87325dc53c9
                                            • Instruction Fuzzy Hash: C0F024617001280BCA09733D711667F228F5BC5A92F24403EF10AEB3A9DDB9AC0343F6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04884710 Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: X1q
                                            • API String ID: 0-4213818131
                                            • Opcode ID: 3cf80525c0b206d4bf79f03f052c806e378f1c3fd4bb98e1442ff43750526ef5
                                            • Instruction ID: b7ac380e4bc2a0ad2f10fe60ebc096faaee71dc059b424b59d378909b67d6b26
                                            • Opcode Fuzzy Hash: 3cf80525c0b206d4bf79f03f052c806e378f1c3fd4bb98e1442ff43750526ef5
                                            • Instruction Fuzzy Hash: C4F050333002598BCA2476BD541037E32CA87C6A55F84497EE10BD7781FE6DAC429362
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04887520 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Huq
                                            • API String ID: 0-1435254529
                                            • Opcode ID: 485dc03163286656df9e6a0355fa204ad071ddd3fabb144f10ca65e379bfb0e3
                                            • Instruction ID: ea9d611e09c960a2486f495bcc04bc9185121f8182057c227ce2fd6a0bb5554c
                                            • Opcode Fuzzy Hash: 485dc03163286656df9e6a0355fa204ad071ddd3fabb144f10ca65e379bfb0e3
                                            • Instruction Fuzzy Hash: ADF0593170810853CB14766E5D85A3D6A4BABC5274774873DA02FDF3D6EE286C0143B2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488F207 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: px
                                            • API String ID: 0-1885066858
                                            • Opcode ID: 8bfaf0f47b84e5445b95586bae158d355a71d3c58ea848e82da8adbd67f43d6e
                                            • Instruction ID: 655c7aa97b4870d4c5764075a3bb28ff85de2770695fea7091c66915f41814d2
                                            • Opcode Fuzzy Hash: 8bfaf0f47b84e5445b95586bae158d355a71d3c58ea848e82da8adbd67f43d6e
                                            • Instruction Fuzzy Hash: 38E0686D7481108FEB0551744CA28FC6769C6C7680315886EE84ADB243C453EC0B8BE0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E0D9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Px
                                            • API String ID: 0-2979723630
                                            • Opcode ID: 574ccb784f3b3ae44f2132e4e24a68bb793093ee0529ca5f407dc515e0d932c1
                                            • Instruction ID: 45e5e7515d0fc77da7e8db9f79a36de2c8af32bcd593af9bf673d16f6052a684
                                            • Opcode Fuzzy Hash: 574ccb784f3b3ae44f2132e4e24a68bb793093ee0529ca5f407dc515e0d932c1
                                            • Instruction Fuzzy Hash: 29F0E5757186418FD721F728D92047A7FA2DBC13253148D7FD05ECB642FA31E8028790
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E0E8 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Px
                                            • API String ID: 0-2979723630
                                            • Opcode ID: fd8e56a9d981f28c84ccf028108dc22195e7f7abf5ea65cce0d2fc491628af01
                                            • Instruction ID: 6622e9772b66d49870293752eb7995d8b71ed851ce65621ab9c66e80761e8906
                                            • Opcode Fuzzy Hash: fd8e56a9d981f28c84ccf028108dc22195e7f7abf5ea65cce0d2fc491628af01
                                            • Instruction Fuzzy Hash: A2E09A353046108B8621A658C92082A7B9ADBC1666320892EE41ADB742EE62E8028790
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04886070 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: lq
                                            • API String ID: 0-573745274
                                            • Opcode ID: 52ed4f581e162613cf198ced4db25ab8d09165ad7cb8824314a1da24f1a2b751
                                            • Instruction ID: b0d550a8104348cab3448f03c899e263673bc31567c4d2f17f7aa5bd346a9cf8
                                            • Opcode Fuzzy Hash: 52ed4f581e162613cf198ced4db25ab8d09165ad7cb8824314a1da24f1a2b751
                                            • Instruction Fuzzy Hash: 74D0A721781519136E4576765C1553F334E7BC1A92385893CF80AFA340DD1D9C0183FA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048802A1 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Lmx
                                            • API String ID: 0-139215186
                                            • Opcode ID: d0d6af9c23ef93210577955bde82f8e643bbe0963e7357a56d39eb8b70fa43a4
                                            • Instruction ID: 5755f8984c8e7746e4ebe07a8699ad1e52b9340f9e1b54e5c7a1544c7332adaa
                                            • Opcode Fuzzy Hash: d0d6af9c23ef93210577955bde82f8e643bbe0963e7357a56d39eb8b70fa43a4
                                            • Instruction Fuzzy Hash: E8D05E30309254CFC353AB28A9A15D13BF1AF4B301306CE9EE08AD7616C7A5BC0A9B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488F218 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: px
                                            • API String ID: 0-1885066858
                                            • Opcode ID: 3aca502edc6c1d344821350b9400ab799e4b66a81ed62538af4fae9eed9428c7
                                            • Instruction ID: 7fb2f7a880919e1aafd91d33c2b518c6a6d6b43e8e98770bba618fa876bd87d9
                                            • Opcode Fuzzy Hash: 3aca502edc6c1d344821350b9400ab799e4b66a81ed62538af4fae9eed9428c7
                                            • Instruction Fuzzy Hash: 64D0A7353001155B6A04A5B8CC1187973CECBC6954345887DF90EEB345CD77EC028BE0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488F3DA Relevance: 1.1, Instructions: 1106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 480eac0c035c1ac0a49ba371021cab59acf6db7130cc51ef7f275d0569b6de3b
                                            • Instruction ID: a9da82677be0dd1b863e559b0cb56c5651da22bce9d7c5349f489c456523d77d
                                            • Opcode Fuzzy Hash: 480eac0c035c1ac0a49ba371021cab59acf6db7130cc51ef7f275d0569b6de3b
                                            • Instruction Fuzzy Hash: 06419E31A00215DFDF24EF69D48466DB7B2FF44311F158A6AEA09DB291E738EC81CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04886110 Relevance: .2, Instructions: 241COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a5d0660bd00ace038e09eca3fdffaf6027b328cab4059b2430dececbde692c6b
                                            • Instruction ID: 851daf67c23940b39a6e996257dfe61307f4f5097dee1413b4e1393e7bd63eba
                                            • Opcode Fuzzy Hash: a5d0660bd00ace038e09eca3fdffaf6027b328cab4059b2430dececbde692c6b
                                            • Instruction Fuzzy Hash: D7815031A00619CFDF15DF14C89069AB7B2AF85304F15C999D80ABF216EB71BE86CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488AC5F Relevance: .2, Instructions: 230COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fcdf95cd3d4d27af923bad727e4ed3a037e7e4106241a967c9f95caa0aa97cbb
                                            • Instruction ID: d34e99bbfefb89386f1a959b8dcb061839d9cabcebfa00824c2c5d456930e17d
                                            • Opcode Fuzzy Hash: fcdf95cd3d4d27af923bad727e4ed3a037e7e4106241a967c9f95caa0aa97cbb
                                            • Instruction Fuzzy Hash: 7F81F2707005168BEB04EB68C959A7E7BA3FFC5304F60852CE1199B796DF74AC028792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E9F8 Relevance: .2, Instructions: 184COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 102a9c6364323fd210d995a4db11ecaf4b857581f01a4d87be1e99862ef4686c
                                            • Instruction ID: ac2bbb5b18e442abff632bf7183d8b3b41fb6c67a77965dffdb3986f997c60bd
                                            • Opcode Fuzzy Hash: 102a9c6364323fd210d995a4db11ecaf4b857581f01a4d87be1e99862ef4686c
                                            • Instruction Fuzzy Hash: 80713834A04209CFDB14EF69C484AA9BBF2BF88315F148A5DD416E7661DB35FC82DB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E290 Relevance: .2, Instructions: 164COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ab215b25c74e72a686970b61da5146bce7554813ffa1a6fafeb18975ac558110
                                            • Instruction ID: 2b2e9f0a1edcfbf2994b10e1e1f158a2d00fc2b06dd474eed2bfafaa8aef84be
                                            • Opcode Fuzzy Hash: ab215b25c74e72a686970b61da5146bce7554813ffa1a6fafeb18975ac558110
                                            • Instruction Fuzzy Hash: 8E517F71A00119DFCF05EF94C4848AEB7B7BF84304B158969E90AFB255EB35BD06CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04887688 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08aaa552224f52a3cacf6a7224878ee270c34d8e181b67488da9ee7967263696
                                            • Instruction ID: 4d1937259479adf720471179d16ef3a902152dd8e17f13fe4cb555a7b2c05007
                                            • Opcode Fuzzy Hash: 08aaa552224f52a3cacf6a7224878ee270c34d8e181b67488da9ee7967263696
                                            • Instruction Fuzzy Hash: 4B314731A0021ECBDF11EF14CD546DAB7B2EF85305F618998D909BB205E7B07A8ACF80
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048872D8 Relevance: .2, Instructions: 159COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af205b63fb94a94770ff05e7183212fde299a85f649c37266cbe41d548a67205
                                            • Instruction ID: 56511303ad54a6f362ff49bb9ae53c803cbd9e41a2a813f61c61541080f08573
                                            • Opcode Fuzzy Hash: af205b63fb94a94770ff05e7183212fde299a85f649c37266cbe41d548a67205
                                            • Instruction Fuzzy Hash: 8A516131B002188BCB18EBBDC9505AEB7F3AFC4304B65896DD40AEB355DE71AD41CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04887B70 Relevance: .1, Instructions: 147COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 07c4698549d3c925c4595c470a4aa39251115c670114a077556489a12e45ec66
                                            • Instruction ID: e43b06b0a5ec8d46d1ad17549b5b0cb8a2bcde5f6b7c05463a2419925926d8fd
                                            • Opcode Fuzzy Hash: 07c4698549d3c925c4595c470a4aa39251115c670114a077556489a12e45ec66
                                            • Instruction Fuzzy Hash: 23511775D00219CFCB18DFA8D98469DBBF1FF48314F208A6AD45AE7294E7316945CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04887E41 Relevance: .1, Instructions: 143COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b5240a50d7bf1935d6a86fc5b53de90a41d572a0508a2615d60e311f2d73a42
                                            • Instruction ID: 47dd47db3b4a9612ce6d6f6287c79943afd22f637e86bbc123c5b9a0911d20fd
                                            • Opcode Fuzzy Hash: 7b5240a50d7bf1935d6a86fc5b53de90a41d572a0508a2615d60e311f2d73a42
                                            • Instruction Fuzzy Hash: 8C518234A00245CFDB15EF78C698BADB7F2BF45305F6486A9D409DB296EB30AC41CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488CD58 Relevance: .1, Instructions: 141COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fa4f886b6588854c33d7eeb77989526d0d5bba5598dc7c85248513f59845ac4f
                                            • Instruction ID: 76f8d89b7b506f20fc32b8a111ad02297cde97a9e5ec99c261b7f8686d11b739
                                            • Opcode Fuzzy Hash: fa4f886b6588854c33d7eeb77989526d0d5bba5598dc7c85248513f59845ac4f
                                            • Instruction Fuzzy Hash: D251D330A00604DFD718FF79C98456ABBE2EF88314B64CA2DD056D7659EB74B801CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04888468 Relevance: .1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4016a13965ab3b3cef95eb9fd4bc31b0f39cf72eedc046f447920a6e3a108327
                                            • Instruction ID: 1adbd29e580200284fe0713347207388bcd215ebf25563b7122f74a9ab8e8081
                                            • Opcode Fuzzy Hash: 4016a13965ab3b3cef95eb9fd4bc31b0f39cf72eedc046f447920a6e3a108327
                                            • Instruction Fuzzy Hash: 1541AD31B0414ADFCB14FF68D5849A9FBB1FB44318F548A6AE816CB251E730EC46CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488CD49 Relevance: .1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db0b66fe53dce33c4378a82ae335ea5b7582591f03b763b88b26726f9ef7a9f2
                                            • Instruction ID: 6c707d10a72354230a43bfc9ae135f0f02c3fda6ad0481b9fc18525f905fdfaf
                                            • Opcode Fuzzy Hash: db0b66fe53dce33c4378a82ae335ea5b7582591f03b763b88b26726f9ef7a9f2
                                            • Instruction Fuzzy Hash: A641BF30A01704CFDB18FF79C99456ABBE2FB88314B64CA2DD456D7299EB74B801DB60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04889188 Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: de8c7246027d5ea6fafb65bc4f67d0effe0fdc6363c642b3e75e6e0c4b54ebc9
                                            • Instruction ID: a98a18ac050859e9c03f7231bd1320d64a1554da6ad65011ae6bcc36bb5c9f83
                                            • Opcode Fuzzy Hash: de8c7246027d5ea6fafb65bc4f67d0effe0fdc6363c642b3e75e6e0c4b54ebc9
                                            • Instruction Fuzzy Hash: C54108B070D299CFC711AB6888985747FF4EF42219B098E9FD06ACB552E739BC01D751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488EE10 Relevance: .1, Instructions: 115COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4dcf2d9658b6482fd9047eaa5c3e632684d77219b8e4ec90ab7f078a9205ad57
                                            • Instruction ID: bc080ff02c1adb85acc83d5120dcc82f4044d5c070fd3e23d0e727a54b1f160d
                                            • Opcode Fuzzy Hash: 4dcf2d9658b6482fd9047eaa5c3e632684d77219b8e4ec90ab7f078a9205ad57
                                            • Instruction Fuzzy Hash: 9041B275E00209DFDB54DFA8C484AADBBB1FF48314F2489A9E815EB356D731A842CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04886E68 Relevance: .1, Instructions: 115COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61f1508f38887b36432473bbf83db03349adaa99f26602add737fee4a0b4486c
                                            • Instruction ID: 8f4f987b1761864f7e81a30b12d9a817c880facf61395bb7b80686c463f4d390
                                            • Opcode Fuzzy Hash: 61f1508f38887b36432473bbf83db03349adaa99f26602add737fee4a0b4486c
                                            • Instruction Fuzzy Hash: F541B234B01640CF8B09BB69956016D77E2FB8C60239485ACE80AD778ADF79AC02CB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488B000 Relevance: .1, Instructions: 112COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f64c9b41f76545ed006399bfe5f951bcda1b8774a7682b42d0e542aa09313aa8
                                            • Instruction ID: 537784eed9932e04ec0affcf42cbfb1765bb0a4d299562df0ca58e8c8d189c1d
                                            • Opcode Fuzzy Hash: f64c9b41f76545ed006399bfe5f951bcda1b8774a7682b42d0e542aa09313aa8
                                            • Instruction Fuzzy Hash: C031B175B006648FCB14EBA8D89416EBBB2FF88305B10892DF456DB744E775BC42C791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E280 Relevance: .1, Instructions: 107COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d97ee7168deaff685957ea59460c4f44cb17b8f7d35dfa92b905fb18a45436f
                                            • Instruction ID: 55c5c41b7d01365367364ce3642fadb5a1ef27ca001861ba6e2b84264261b0ab
                                            • Opcode Fuzzy Hash: 8d97ee7168deaff685957ea59460c4f44cb17b8f7d35dfa92b905fb18a45436f
                                            • Instruction Fuzzy Hash: DF318071B04209DFCB05EFA4D8448EDBBB6FF44305B114929E50AEB262EB35AD06DB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048820D0 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9bc39c2e87f884a2398e3a9030434e1f8f4570eaa7bf7ed7bf7527968865805
                                            • Instruction ID: 212a27032a660ce01db53cda4517b6bdae1e6c4850405a9aa1a0df44d114f79f
                                            • Opcode Fuzzy Hash: a9bc39c2e87f884a2398e3a9030434e1f8f4570eaa7bf7ed7bf7527968865805
                                            • Instruction Fuzzy Hash: B7319238B0524ADFCB05EFA8C89067E7BB5BF84300B65CA9AC505DB245EB70BC41C792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E169 Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c11009e4c32838ea2bef38c77715612ef20538e02c11e9155b74967a3c86f8ab
                                            • Instruction ID: 267b787daabc51a02b52eb80233df98d34a191b6f9cfe88706965eea4d26d425
                                            • Opcode Fuzzy Hash: c11009e4c32838ea2bef38c77715612ef20538e02c11e9155b74967a3c86f8ab
                                            • Instruction Fuzzy Hash: 94312C75B05109DFCB54EF69C5446BEBBB1FB88315F148A6DE419E7241E730AC42CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E6D7 Relevance: .1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 582aed2d8a6fa88811fc0383f0111799662965d379c8fd58dc27435e9b515fd1
                                            • Instruction ID: ed88a0ed511bd90b1f24acb6f7a07e44ec02af669ef91eb9fa9809a48ccb2d5e
                                            • Opcode Fuzzy Hash: 582aed2d8a6fa88811fc0383f0111799662965d379c8fd58dc27435e9b515fd1
                                            • Instruction Fuzzy Hash: 9F313A34B00209CFCB55EF7985856AEBBF2FB88700B60492DE546D7781EA75EC42CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488ECD8 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c7bd19518c33a7c1c41cfa7a37c6379f7a4437806dc5c017daf60ba1862b81b9
                                            • Instruction ID: e4424d03161db88e78f4c49798f297aa4550acbc7706af088fe6b360aaafac6a
                                            • Opcode Fuzzy Hash: c7bd19518c33a7c1c41cfa7a37c6379f7a4437806dc5c017daf60ba1862b81b9
                                            • Instruction Fuzzy Hash: 1A311870604B51CFD379EB2AC544366BBF2AF85309F148D6EC096C6AA0EB75B44ADB00
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048845C8 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ebbc2f76de72453a82cb7d2c853d7202efda855eaa5d392b953bb91bdb7e2d0
                                            • Instruction ID: 3c10be2348f3e7a77b32bd2f2794b9e2f8d2fc10a1bfb328c268414ddb812aca
                                            • Opcode Fuzzy Hash: 7ebbc2f76de72453a82cb7d2c853d7202efda855eaa5d392b953bb91bdb7e2d0
                                            • Instruction Fuzzy Hash: BC219972F0011FDFEB44EA95DC41AFFB3B9EB84614F104A29E619D3141FB7069058B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488CDC0 Relevance: .1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b1dd96f44504b03fd0e9b5ec48192f03b8a92f93ca45fed8661bf666dedb2b75
                                            • Instruction ID: 69af686aa2ce5953b7f55d7c06a1606f363540fbf4bc6888ebb06c18005ad440
                                            • Opcode Fuzzy Hash: b1dd96f44504b03fd0e9b5ec48192f03b8a92f93ca45fed8661bf666dedb2b75
                                            • Instruction Fuzzy Hash: 55313230A01209CFDB18FF79C95466A7BE2AB88304B64CA2DD416D7255EB74B8419B61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04888760 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 43684a7f665d96e7dbb12e6638b89a9096d9ecb3d403326a5864d06ed152189a
                                            • Instruction ID: af44df759bc58b95413a744f750a650607e0f2dc10589249f2786566f71183c8
                                            • Opcode Fuzzy Hash: 43684a7f665d96e7dbb12e6638b89a9096d9ecb3d403326a5864d06ed152189a
                                            • Instruction Fuzzy Hash: B2318D30E0928DDFCB52FBB5C5552AD7FB1EF46304F448A9AC442DB252E7386901EB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488ECB0 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9181103f35cc731eb20de9994c083046720c97b82d98eb540d3cd8dac9f562c6
                                            • Instruction ID: ca88ea8d1142cbddf04cbc961a7ebde60b7362d26ffc716586ad4d04a97fdc65
                                            • Opcode Fuzzy Hash: 9181103f35cc731eb20de9994c083046720c97b82d98eb540d3cd8dac9f562c6
                                            • Instruction Fuzzy Hash: 99311930601B40CFE379DB2AC644766B7E2BF85308F54CD6EC196C6AA0DB76B44ADB00
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048843D0 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e6a4135f55b800be37cddd3acd5314b5a15b52134891d3eb3a0e7d095d9f779
                                            • Instruction ID: 6314985cc6d2855a90ebe40d644ad7c84a4d4141c5536dbccce435b6a80cfbe8
                                            • Opcode Fuzzy Hash: 4e6a4135f55b800be37cddd3acd5314b5a15b52134891d3eb3a0e7d095d9f779
                                            • Instruction Fuzzy Hash: 8031E131205206CFCB05FF68D84889D7BB2FF44709764C8A8E006DB27ADB39A802DF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048885D0 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bcce7abb517fb56b90cf5375290e3ebeb6c5030abcdb443887cfb92f873b55d6
                                            • Instruction ID: 53f93ffc3442b042025253d60de6f8fb75f2de73826f2a809537cad56650150e
                                            • Opcode Fuzzy Hash: bcce7abb517fb56b90cf5375290e3ebeb6c5030abcdb443887cfb92f873b55d6
                                            • Instruction Fuzzy Hash: 9931BB30B05244DFCB49FB78E81C56D7BA2EB892063518A69E406DB365FF38AC02CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048855E8 Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 68c0c3c8703e7193ba92a2d71eaebae6f1f29a02a7d7c3e6a101288dc11c4987
                                            • Instruction ID: 98239949db60aeb47a8bae17ec50c5e684a0fe0232e5b2f29271c7b1fbd6ef0c
                                            • Opcode Fuzzy Hash: 68c0c3c8703e7193ba92a2d71eaebae6f1f29a02a7d7c3e6a101288dc11c4987
                                            • Instruction Fuzzy Hash: 3021F431B40205ABDB14AB79C4557EEBBE2AF88710F18046DE502EB390EFB558018B95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04886C40 Relevance: .1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ffc3c1eff1f82981ed7e59266aa2f32351c0c6e2f8eaa92f93ee3d48ba26c31a
                                            • Instruction ID: f1f94fa07c251bcc22e3ce4936e688d8bed1fd6d4986fca7d0b0b286f6537439
                                            • Opcode Fuzzy Hash: ffc3c1eff1f82981ed7e59266aa2f32351c0c6e2f8eaa92f93ee3d48ba26c31a
                                            • Instruction Fuzzy Hash: D131BD30700245CBCB09BB34E51855D7BA2EB81346794C96DF006DB39AEF79AC07CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04882C58 Relevance: .1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 480c6042cd7b1ee2945a1e4b854f00c186880e6a963e35e03ad7d48355f89528
                                            • Instruction ID: b6b3047058c33b108d5e4a3b62531e437e283eb323332a5a229e8cdc945f900a
                                            • Opcode Fuzzy Hash: 480c6042cd7b1ee2945a1e4b854f00c186880e6a963e35e03ad7d48355f89528
                                            • Instruction Fuzzy Hash: 6921483830824ADFC714BB3888849797FE6AF552187188FEED546CB252D725BC00D352
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488A8E8 Relevance: .1, Instructions: 81COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 85327bef792f05ff53cf551fdefa3fc2481b03dd0bc1a01333fa7f2b68d63752
                                            • Instruction ID: 1338392b629ce1a15a575485ef0bc4f5901776bb53b5d1e7bf8c99b9d915d624
                                            • Opcode Fuzzy Hash: 85327bef792f05ff53cf551fdefa3fc2481b03dd0bc1a01333fa7f2b68d63752
                                            • Instruction Fuzzy Hash: E1215531B04259DFCB19FFB5D941AAEB7B1AB84714F114E2ED052DB281EB70AC41C7A0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04886C9A Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e40137e239503d0d46cb5c8cddb2f5b97f25090e579cfd16c5d097b348c6fd1
                                            • Instruction ID: dd0b5cd39aaef96eaf22588cf4d009e96d69483c0e832062cc0f731b921f0e3a
                                            • Opcode Fuzzy Hash: 7e40137e239503d0d46cb5c8cddb2f5b97f25090e579cfd16c5d097b348c6fd1
                                            • Instruction Fuzzy Hash: 54314F30700245CBCB09BB74D65816D77A2EB8534A390C96DE10BDB38AEF79AC07CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048821E8 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 193c7e681c036b212f625ed2808b633acc5bc8701943beef7ff10b915b8c1ff3
                                            • Instruction ID: 2db79f04fb8a627bb2b7d6a899aaf399dbdb643c942002299bbd5bc77c90e99d
                                            • Opcode Fuzzy Hash: 193c7e681c036b212f625ed2808b633acc5bc8701943beef7ff10b915b8c1ff3
                                            • Instruction Fuzzy Hash: C3312F30E0820ADFCB54EBA4C5556BDBBF1BB45304F108EDED402D72A2E735AA45DB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048848B8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d14bd9537e4371b666853cb128203c47fcb851e9b314cebdfe6bfc4b98d7aafe
                                            • Instruction ID: e69cdeb65bb3cf0ae7df72e8029a426e2b3f1a5b13449741bea070dff1c7695e
                                            • Opcode Fuzzy Hash: d14bd9537e4371b666853cb128203c47fcb851e9b314cebdfe6bfc4b98d7aafe
                                            • Instruction Fuzzy Hash: CD112C33B0415A9BCB26EA78DC505FEBBB79FC5714B04492DD442F7261FD206A0787A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048825DE Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9277697f1e06d25ab595f31647b43a80fe3975ea85e89b32ac5537bd552f7872
                                            • Instruction ID: 6bcc9abad91a36471673c4e319733d9daf854309ed38591caebc9c25c27fe67f
                                            • Opcode Fuzzy Hash: 9277697f1e06d25ab595f31647b43a80fe3975ea85e89b32ac5537bd552f7872
                                            • Instruction Fuzzy Hash: B7319230A00249CFDB21EF69C94465DBBF2BF44314F24CA6DC005EB265DB78A949CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04888B76 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8470543cab44f482744c2d3c5eff2cd9a1d4d5fd5deec1b9d1e68e5ce27773cc
                                            • Instruction ID: ee6b1bd474a9a46984e7f159cf4dc7da179bcb774d750be8f623ee1083e65657
                                            • Opcode Fuzzy Hash: 8470543cab44f482744c2d3c5eff2cd9a1d4d5fd5deec1b9d1e68e5ce27773cc
                                            • Instruction Fuzzy Hash: E4319C70A05249CFDB54EFA6C944259FBE2FF94305F10C62DD404AF255EBB8A88ACF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488A8D8 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 122c9e2cc4ca13880219d1afa713a66af69fb6211e3768e08652336f92c95e16
                                            • Instruction ID: 789a6628b6c0220b859757fd6591cc1f431d28d70318c48be475d0f395f07350
                                            • Opcode Fuzzy Hash: 122c9e2cc4ca13880219d1afa713a66af69fb6211e3768e08652336f92c95e16
                                            • Instruction Fuzzy Hash: 9B11C330B08259DBCB19FEB59C416AE77B1AB84754F118E2ED422DB2C0EB65AC0187A0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04884F10 Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1411f884c7cbaa428d047305abb5cd269b1895a8e8aa9be161e35909c3de9d8e
                                            • Instruction ID: bc1b654e10dc3cfefc5b585b37f59e465a192b0b20778b5d44e7f35a38117ca2
                                            • Opcode Fuzzy Hash: 1411f884c7cbaa428d047305abb5cd269b1895a8e8aa9be161e35909c3de9d8e
                                            • Instruction Fuzzy Hash: 4B21D73230A24BCBC709B674E9905793752ABC0B09794CE6EE842C719FFB647C029795
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488AFF0 Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 982e132cf3eacf579195ceb431cdc7aea70784544146dd17131d4959dc1daff5
                                            • Instruction ID: 64736c53276472f198fe7e9d002c14eab57556572524567ce7cd9f1ed56aa7c1
                                            • Opcode Fuzzy Hash: 982e132cf3eacf579195ceb431cdc7aea70784544146dd17131d4959dc1daff5
                                            • Instruction Fuzzy Hash: 1121A1B1E002299BCB14EF99D8944AEFBB2FBC9304B10862EF465E3350D375AD01CB90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04885840 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 56230ad9968ad79e87c2c921ff9c232c2acf77765586aec87a85bd918d801d2a
                                            • Instruction ID: a7838f5298e1f66991d5cb0d1766b5e2e9df6a63788fdfd94aca146049326f4d
                                            • Opcode Fuzzy Hash: 56230ad9968ad79e87c2c921ff9c232c2acf77765586aec87a85bd918d801d2a
                                            • Instruction Fuzzy Hash: A0119331701118ABDB08B7BA995457FB6EAAFC83187904E7D9417DB752EEB1AC0043A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04884510 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e1f723266e8adcc87fb0023b9c51d869bc2ba6a07d333d7e8bbf81bb48f0fed
                                            • Instruction ID: df53c2f1980191c927f3ce521c123cd2601e9e1e815b22a562870aa7db147ca4
                                            • Opcode Fuzzy Hash: 1e1f723266e8adcc87fb0023b9c51d869bc2ba6a07d333d7e8bbf81bb48f0fed
                                            • Instruction Fuzzy Hash: 9F112733F045569BCB05EA6CD4102EF7BA68FC6611F0486BEA946DB250FA61BC0587D1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E580 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 890de05f05b1572a60a6716c9aeb10263ba31b98589cf81b15f8ae8d9addc015
                                            • Instruction ID: cf8f0d1e757ad99b65ea7a9c7b3e431618f95c1431e17144405ce3fddbbc8484
                                            • Opcode Fuzzy Hash: 890de05f05b1572a60a6716c9aeb10263ba31b98589cf81b15f8ae8d9addc015
                                            • Instruction Fuzzy Hash: 8D214F31B04119DFCB54EFA9C551ABEB7F5EB88614B108A5EE406E7240E731BD01DB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04885000 Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e863c3f14d06e9022933649294708b8086a3b002c855a6c4e3499b9fef2df96a
                                            • Instruction ID: 0fdee6e264443529e94c3949d78c9e84a86a47d4f448eb3b13d3bc7dd7bbbc04
                                            • Opcode Fuzzy Hash: e863c3f14d06e9022933649294708b8086a3b002c855a6c4e3499b9fef2df96a
                                            • Instruction Fuzzy Hash: 3311B131B05215DFCB48FFB8995026E77E1EB842087948A79C806D7386EB34AC02D7E2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E570 Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 13c80fc27a876af3a15f8c4b4a96588fcdd56443e4f1bfc004f25a0dad5e550d
                                            • Instruction ID: fbac28b795e261b6a90813f310483b7fa8504c1bf7c353157ac33f7f8059adcd
                                            • Opcode Fuzzy Hash: 13c80fc27a876af3a15f8c4b4a96588fcdd56443e4f1bfc004f25a0dad5e550d
                                            • Instruction Fuzzy Hash: D3114F75A05109DFCB54EF58C541ABEBBF4EB88215B208A5EE406E3240F731BD06DB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488C838 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5603db219163675713fd00170257c2ee25c796ae775c677d18af4112d4a94061
                                            • Instruction ID: 05a5d761ba2575c296615dbd0996885ad732d485e77b34e457d604eea54d73ab
                                            • Opcode Fuzzy Hash: 5603db219163675713fd00170257c2ee25c796ae775c677d18af4112d4a94061
                                            • Instruction Fuzzy Hash: 3F11C131B400089FD708BB69C850A6E77E7AFC8314758856DE80ADB355DE32AC02E7A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048811DF Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 947edee12b09740bb8ded535460d3f1a3bb8f5506790fafecef5dbdb13e7bf59
                                            • Instruction ID: 66d34cdb80607ade6db25cc3fa5fbc187baaefe3b008d776ee130e90cb38d7d6
                                            • Opcode Fuzzy Hash: 947edee12b09740bb8ded535460d3f1a3bb8f5506790fafecef5dbdb13e7bf59
                                            • Instruction Fuzzy Hash: 2F119D313092C4CFC706E72894689697FA5AF87205B1A49EFD046CB2B3DF656C0A9762
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 022E087C Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559488462.00000000022E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_22e0000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 54607adaacc89049c75604308606a5f3a5aead24c6926dbd84009962bc9f8ee4
                                            • Instruction ID: d5534c8433f1768d020efd93e028daf464a7ebbfb6d0dc600f42689d49b071f1
                                            • Opcode Fuzzy Hash: 54607adaacc89049c75604308606a5f3a5aead24c6926dbd84009962bc9f8ee4
                                            • Instruction Fuzzy Hash: C9112C34214285DFD715CB94C944F26BBD1EB58708F64C59CE98A1B747C3BBD403DA51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488C968 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ff0baa03860b8cdaea58285d74a4275112822130e80bef1456cd4e4a1baf2a20
                                            • Instruction ID: f1f754c98f9387e685d9452aa078b109fd81a301c74228e9b2521b44fb05c085
                                            • Opcode Fuzzy Hash: ff0baa03860b8cdaea58285d74a4275112822130e80bef1456cd4e4a1baf2a20
                                            • Instruction Fuzzy Hash: A611B23031C244CBD616BB28861453DBB969FD63193548A6EA04BEB786EE36FC438761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04886B88 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8bde36c9c18a46f66190cedf3a3164c3f048cce8e80e25744d2fd7cea13f96b2
                                            • Instruction ID: a07534401b1d161f2072a44f5d0ac63aa50dbd7f6d1004dd1c59d6bab72ac6f4
                                            • Opcode Fuzzy Hash: 8bde36c9c18a46f66190cedf3a3164c3f048cce8e80e25744d2fd7cea13f96b2
                                            • Instruction Fuzzy Hash: 1711A071A01209CFDB41FBB9A9507EEBFA1EB80211F548A6AD405E7281EB7069068BD1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488CBB8 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0892ea34d692dbf5fa0abf6f26bfcc585f9e37acc4bb556fdac096084c2fd40f
                                            • Instruction ID: a39629f19058f1ca060aa67219ace2894a32d49c1b74150a48540f1e6d6bcb2d
                                            • Opcode Fuzzy Hash: 0892ea34d692dbf5fa0abf6f26bfcc585f9e37acc4bb556fdac096084c2fd40f
                                            • Instruction Fuzzy Hash: 17114C34300A019FC728EA19C554966F3A7FF98314B14CA1DE85A87F94CB75FC42DBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 022E0845 Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559488462.00000000022E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_22e0000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca8f99d39a87de29bd65eb288fdf9193728ec72dfd93384a3554c6e458f3f4bc
                                            • Instruction ID: 7ef8a705a4854d36a2117e4d8232961eca82a84d63a80e0b7ae5ff51d82696b9
                                            • Opcode Fuzzy Hash: ca8f99d39a87de29bd65eb288fdf9193728ec72dfd93384a3554c6e458f3f4bc
                                            • Instruction Fuzzy Hash: E6216A351093C08FDB17CB60C850B15BFB2AF57304F1A85EAD4899B6A3C33A8916DB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048854F8 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3f8e19a2705054eefd9e1f2fba71d6997924b10e3f084189be39a6670606664
                                            • Instruction ID: 6d84048dd8325eae1abfe9ae885cee12a2b459cedf62b52fff840aec4d0e128d
                                            • Opcode Fuzzy Hash: e3f8e19a2705054eefd9e1f2fba71d6997924b10e3f084189be39a6670606664
                                            • Instruction Fuzzy Hash: B2118231A16349DFCF58FF7498516EE7BB2AB48301B908929D006D7295E7796901CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488C550 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6d7bf7bc518f375693d43bdbf3576e9d5406c68009c43f06d01a809800522d9a
                                            • Instruction ID: e6ccfc87a0d03aa426921f515ada3d2f053b2f2d2c1c0f4a8a6afe10fd7a6df3
                                            • Opcode Fuzzy Hash: 6d7bf7bc518f375693d43bdbf3576e9d5406c68009c43f06d01a809800522d9a
                                            • Instruction Fuzzy Hash: AD1106713003908FEB0DAB38941873937E7E7D9712F0585A8E406EB345DA79AC42CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04884788 Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9bc8aaf98db472c11f4684d4e04eb62d08baf2dd9e01507825ccc148ca559bc
                                            • Instruction ID: 64dd157d6ba4b9da87db79129a224492f4b4dda2960358b634fa18767e5a7fe3
                                            • Opcode Fuzzy Hash: b9bc8aaf98db472c11f4684d4e04eb62d08baf2dd9e01507825ccc148ca559bc
                                            • Instruction Fuzzy Hash: FF01D631F0015A8FCB51DFB888512EE7BF29F88200F20897DC44AE7251EA3549438B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0078ADD8 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559090999.0000000000782000.00000040.00000800.00020000.00000000.sdmp, Offset: 00782000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_782000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bb7c79c0f643ef49a066798fb5c40295e3d6d2fe8deaff2b7969af2fdab4ae73
                                            • Instruction ID: 8239bfbd730070396c01a415fd13768dd77509544682640ec6d9e434cddd3aa5
                                            • Opcode Fuzzy Hash: bb7c79c0f643ef49a066798fb5c40295e3d6d2fe8deaff2b7969af2fdab4ae73
                                            • Instruction Fuzzy Hash: AC11ECB5608345AFD350CF09D881A57FBE8EB88660F04892EFD9897311D331E9048BA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488DC98 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67d8ce34d700bc06ada04a095cd7468932ea62181a2db7cab00def0e39a46cf5
                                            • Instruction ID: 829b6b5bd7c2a88b51e11de9e619976455f0d00d86a2408eae0db0ff9dfe10ec
                                            • Opcode Fuzzy Hash: 67d8ce34d700bc06ada04a095cd7468932ea62181a2db7cab00def0e39a46cf5
                                            • Instruction Fuzzy Hash: DC01F731B00228DFCB0837B9981812F76DAFBC82247A0893DE50AD3342DD799C0283A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488C541 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 72224a1f74e80c6d7e0985e04d87d78fb335c2b69df2e7857ec363373de55920
                                            • Instruction ID: 2a48bc527675b76c9def8e4abfdff4b05ff44889374e31916cc8c97bac0cd5e5
                                            • Opcode Fuzzy Hash: 72224a1f74e80c6d7e0985e04d87d78fb335c2b69df2e7857ec363373de55920
                                            • Instruction Fuzzy Hash: 0D01F575700390CFD70AAB38D5487253BE3E7AA302B0585A9E806DB256D678AC47CB54
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04887AD8 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52e38907d3017244cf4a55c3a97f09b3e563775dee3e3a0ef46f4aef7a2e6664
                                            • Instruction ID: 32f72bc84487d0110a8ab75f84d829803c5a5859473a0e812ce0b2466425d824
                                            • Opcode Fuzzy Hash: 52e38907d3017244cf4a55c3a97f09b3e563775dee3e3a0ef46f4aef7a2e6664
                                            • Instruction Fuzzy Hash: DD019231B041089BCB15AA54CD556BEBBF39BC4314F24496EC006E7241EB71BD019BD1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488A388 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 145d2f8c19e8db027faec8100378e4f584e44e4ca002ec77e54c0483de2aea5c
                                            • Instruction ID: 8f27f4649abdaa667eced197f8552c7b38bf14d7394fcdaf7bd0e41a7db0a622
                                            • Opcode Fuzzy Hash: 145d2f8c19e8db027faec8100378e4f584e44e4ca002ec77e54c0483de2aea5c
                                            • Instruction Fuzzy Hash: AD019231B041089BCB19AA5CC954ABFBBB19B84314F14496FC406E76C1EBB17D019BD1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04885740 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 177678f3ddd11df1a342cc66263d0c1431f82fb85340bf85054fa4d7a57a3d63
                                            • Instruction ID: 181da8c15a1f75e70e62c06d938d71cc8653cf914cbcf84bd7eee8e156e9d5bf
                                            • Opcode Fuzzy Hash: 177678f3ddd11df1a342cc66263d0c1431f82fb85340bf85054fa4d7a57a3d63
                                            • Instruction Fuzzy Hash: 31118230A01309DFDB14FF70D5407AE77B1EB44345FA0862ED402E7289E779A801CB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04881209 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4f7582c47f5fcbdb4c8d9e3e899e03a7e8e5d70dfeb7616c669d4bec1037f93c
                                            • Instruction ID: cd2f5daae75151a7b8a9184d08e92548e556e61fa26832ca92436acc771ade1b
                                            • Opcode Fuzzy Hash: 4f7582c47f5fcbdb4c8d9e3e899e03a7e8e5d70dfeb7616c669d4bec1037f93c
                                            • Instruction Fuzzy Hash: 03017530304194CFC705E72CD05C9697BE6BFC660571585EEE006CB6B6DF75AC0A9782
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04887ACA Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db22199a983b24625b7487ce5730428d2d718b9d5c2a378bc1b6d462cdcdf31b
                                            • Instruction ID: 5b4d17d1652ecff1065dc4d450cdefd8a0c7980ae79de90090bd64f3bb71cb43
                                            • Opcode Fuzzy Hash: db22199a983b24625b7487ce5730428d2d718b9d5c2a378bc1b6d462cdcdf31b
                                            • Instruction Fuzzy Hash: F7019E30B081999FD725EA2489A57BEBBF36BC4314F684E5DC006E7641EB61BD019B90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488AA01 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 035a4114225ac0b1e086d1e20b17875d7396a880888754bb9424ce8d018c5df4
                                            • Instruction ID: 7077fccc01a507da484a9f749b206cb01249167e6eada887bfd6187083bfb3ec
                                            • Opcode Fuzzy Hash: 035a4114225ac0b1e086d1e20b17875d7396a880888754bb9424ce8d018c5df4
                                            • Instruction Fuzzy Hash: BA01DF30E00246CFCF58EFB89A093AEBFF4EB44201F508A6AD905D7281E7319942CBD1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488AA10 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e577994ea48ebb41bc36f151d304543c64190c80cfebdf00324e11d178867e5f
                                            • Instruction ID: e83037080f6a57f46201fc8919fe62fbbfb16b52b5913953107469af59ab3352
                                            • Opcode Fuzzy Hash: e577994ea48ebb41bc36f151d304543c64190c80cfebdf00324e11d178867e5f
                                            • Instruction Fuzzy Hash: ED018F31E002099FCF54FFB8A9053AEBBF4EB84251F104A3AD519D3280E770A9408BD1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488A383 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af19b5db8131dd95b1595ca66a354a3bf823a8b81d602625ac4163f5c1e37222
                                            • Instruction ID: 07d5b25b6685bbc2f4b6e8280840057b679f47f06651b37ebde38a1c54914ef6
                                            • Opcode Fuzzy Hash: af19b5db8131dd95b1595ca66a354a3bf823a8b81d602625ac4163f5c1e37222
                                            • Instruction Fuzzy Hash: FC019E30A041489BC719AB1CC954ABFBBB19B84304F14095EC446E76C1EBA1BD02ABC1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04886B98 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cd76b28dc85a0b01bb9624ad59354eee6378db8c0d8503644903d0ad92652593
                                            • Instruction ID: 18c09ef94c6525e73fde3eedfcc52afd89aa9c751973637caba03b6b741e9ff8
                                            • Opcode Fuzzy Hash: cd76b28dc85a0b01bb9624ad59354eee6378db8c0d8503644903d0ad92652593
                                            • Instruction Fuzzy Hash: 47018B71E01209CFDF50EBB9E9407AEBBF4EB84611F90457AD908E3281E770A940CBD1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488A378 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b70aee0365f35f9af20d6f8234c1f4e275795ebb899d29549644eb894cb077f2
                                            • Instruction ID: f4883c88fc3888e10d26f487bd678d73f25a068c771bb348ed80b0472d50cdf0
                                            • Opcode Fuzzy Hash: b70aee0365f35f9af20d6f8234c1f4e275795ebb899d29549644eb894cb077f2
                                            • Instruction Fuzzy Hash: 02019231709249CFC71EAB2C895467E7BB15B85218F184E8FC047DB2C2EB657D02AB82
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488AB80 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5ece2a4e5acb4df759f1c8a389c6c8198ddb3299e29c21ccdcd06e81716ab98e
                                            • Instruction ID: 70ea80dddd9efc878daf2ca5266eb46a7dee17486aa2f1257eb3a692b129aef3
                                            • Opcode Fuzzy Hash: 5ece2a4e5acb4df759f1c8a389c6c8198ddb3299e29c21ccdcd06e81716ab98e
                                            • Instruction Fuzzy Hash: A701F730705245CFC749FB78D9194583BA2EFC5206308897EE006CB256FF74AC478751
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 022E05CF Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559488462.00000000022E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_22e0000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8186f9fce8a4354325e2aa15f49729183023407bb9553a98831985e9697e3426
                                            • Instruction ID: 373f20903ca2169e1746f991c37e2018194beb81637c04ad974d65af82c879a0
                                            • Opcode Fuzzy Hash: 8186f9fce8a4354325e2aa15f49729183023407bb9553a98831985e9697e3426
                                            • Instruction Fuzzy Hash: F301A77550D3C06FD7128B159C50862FFA8DE86620708C4DFEC498B653C225A805CBB6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04881218 Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eb6917cde66ce89de6486ff6a9bb02a8b88a7c5fbf345e600cfd78089eca89af
                                            • Instruction ID: d044c80b39eb95e52c127334b5ea3d88e8bd12b7f63ef3e58e97ff21d5d70019
                                            • Opcode Fuzzy Hash: eb6917cde66ce89de6486ff6a9bb02a8b88a7c5fbf345e600cfd78089eca89af
                                            • Instruction Fuzzy Hash: 57018130304114CBCA08E72CD05C96E77EABFC5705B2445AEE006CB7B6DFB5AC0A9781
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04888458 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8fb2f80996432f859a29477390fa1d55f6f62caeb6270879bc1733365112b166
                                            • Instruction ID: 06aeb602d604ee26a282da3b6a7a160e65d933afca65bce77de4f47d5eb30a9e
                                            • Opcode Fuzzy Hash: 8fb2f80996432f859a29477390fa1d55f6f62caeb6270879bc1733365112b166
                                            • Instruction Fuzzy Hash: BCF09632B08259DFC710F76898858EFBFF5FE85314B488AAAD541DB211E771F8029792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E988 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f4c01b1abc33056cd89667185fa5a78ebcaa1a3c9a451669bc9e3f7dd7263b6e
                                            • Instruction ID: 9a2ac416aa2dbaa2b0d8a6f840ae1de81a44083edcfcd77c56fc4685b24ba0cf
                                            • Opcode Fuzzy Hash: f4c01b1abc33056cd89667185fa5a78ebcaa1a3c9a451669bc9e3f7dd7263b6e
                                            • Instruction Fuzzy Hash: 53F059527081681BFB7320682C883B41F04DF81368F050B7FD88ACB143E4C06807A392
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488A979 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e68b4e8fdf95df2d3c0f715cda0ebc745ddeb362139493788f4e4dc2d59a556c
                                            • Instruction ID: 063b9b72db136796db50b427b1ab6ee37803899817fefeeca3e7b579720ad099
                                            • Opcode Fuzzy Hash: e68b4e8fdf95df2d3c0f715cda0ebc745ddeb362139493788f4e4dc2d59a556c
                                            • Instruction Fuzzy Hash: 3AF0A431B40259DBCF09FBB4DE86AAE7321FF84704F108959E5159F286EB749D0187B4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488A350 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7bc48bedbfd7b28f2fa312736f4c8d24463d03138ceebee6ab4f3ef5bfd980cb
                                            • Instruction ID: 3680bf44e0b6b3a87b87c5829e2dac8f4c53bb42a98498b4a2a41f826773963b
                                            • Opcode Fuzzy Hash: 7bc48bedbfd7b28f2fa312736f4c8d24463d03138ceebee6ab4f3ef5bfd980cb
                                            • Instruction Fuzzy Hash: 78014B30B08208CBDB1DAA5CC55477FA6A29B84308F244D1EC046E76C1EBA5BD01AB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048811B7 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: add79c469e9d82ece16206fbdde333b2450e3c2dddcbdc5cf8671b463dabd3d8
                                            • Instruction ID: ecd8b3e43739bcb2d250a19724b1e17344f3739d8b84a66a09ebd45a49b3d8e4
                                            • Opcode Fuzzy Hash: add79c469e9d82ece16206fbdde333b2450e3c2dddcbdc5cf8671b463dabd3d8
                                            • Instruction Fuzzy Hash: A5F04434304118CBCA44FB28D15C96977E6FF85309B504AAED006CB676DF756C4A9B41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488AB90 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4cf008d9a8af389e89a771f41a588b1a753f3efabbace29342ed6c0c866c1a7
                                            • Instruction ID: 093a0c2f2a2831e0d3698a47a4a03110ee62e07b2cc02899208290b8a372008d
                                            • Opcode Fuzzy Hash: e4cf008d9a8af389e89a771f41a588b1a753f3efabbace29342ed6c0c866c1a7
                                            • Instruction Fuzzy Hash: 56F0FF30301249DBC609F778E50845877E6EFC52063088979E00ACB35AFF79BC4387A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04886580 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b7ce78c2122a8786ea4850d235b4c1ad4056f2a70893ec5fc2df4c4a786e6caa
                                            • Instruction ID: 3e410ca7bc9d954a16bf1c45340ab40c18bea8a2386233e9f5de8cf97cea4f9f
                                            • Opcode Fuzzy Hash: b7ce78c2122a8786ea4850d235b4c1ad4056f2a70893ec5fc2df4c4a786e6caa
                                            • Instruction Fuzzy Hash: D3F0E930B04159978B14B62868106BF77D59BC525CF404E7EC907F3389FF24790597D2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04886101 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 323f6e1a34e6806a3fe8aed6202df041b6712a14bc62c590d9591700499d79de
                                            • Instruction ID: e680966c1e4c08b9e88057adb3bcab38f97d9b82ade20ac83315f9d2237ec457
                                            • Opcode Fuzzy Hash: 323f6e1a34e6806a3fe8aed6202df041b6712a14bc62c590d9591700499d79de
                                            • Instruction Fuzzy Hash: F0F05034B04155DBDB10B53858516EEBBE587C4258F404DBDC906F3343FE25790686D1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488A151 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a2c4ad402a4e5b4901092ddb4e3a66e36630b24f7ce88b913109cff863e042ec
                                            • Instruction ID: a3cfddf63e938091e0e9e2dcfbbc314b91ead47c54ec107cc9266589e776b6fc
                                            • Opcode Fuzzy Hash: a2c4ad402a4e5b4901092ddb4e3a66e36630b24f7ce88b913109cff863e042ec
                                            • Instruction Fuzzy Hash: 21F06871704240CFC719A774A5544683BE2DBCA365319857FE00ACB392FA79AC079792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488A353 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6878ad94120292b3c459d80aab48bc4a9694d141eec12498d02237686ae49ab
                                            • Instruction ID: ab235006ab5d49226e637de0a986403a0022b5c68a0ffd528a7c69b0ac7afbd8
                                            • Opcode Fuzzy Hash: e6878ad94120292b3c459d80aab48bc4a9694d141eec12498d02237686ae49ab
                                            • Instruction Fuzzy Hash: 34F06230708285CFC71AAB58C6556BE7B715F85204B244D4FC086DB2C2EAA57902AB41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488AB10 Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 76b294d3468652a52b5b0eb515f9324c174cdd6831bd46433c682e0a25912da0
                                            • Instruction ID: 2575b1562946b988a4bcc1ca14e8e2eb1ef4bcd196575e4fa04db0e869c860f4
                                            • Opcode Fuzzy Hash: 76b294d3468652a52b5b0eb515f9324c174cdd6831bd46433c682e0a25912da0
                                            • Instruction Fuzzy Hash: D5F02B213043859FC74EBB7894509B937EA9BC624030545BBE00ACB2E3ED547D02D363
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04886571 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0252c22af10b1cddb6b781475d10a5684c76bb7d4416b3060045433d5541ab50
                                            • Instruction ID: b52cd1cdf3b544d4a4e66bd2e70c8b20fcad8ac0a53c7431d92525830650f663
                                            • Opcode Fuzzy Hash: 0252c22af10b1cddb6b781475d10a5684c76bb7d4416b3060045433d5541ab50
                                            • Instruction Fuzzy Hash: E7F02B32B0411A9FCB14AA2858111FFBBE5DBD4248B400A6EC906F3284FB3479058FD1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488C82A Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 35c96cb2f460cc248167ccc970e50ac2096b440738767f6e09dfec6558a546f9
                                            • Instruction ID: 3aac369e234c6386daf962fba40a1e8ba10e32914f234b681968baa33986e920
                                            • Opcode Fuzzy Hash: 35c96cb2f460cc248167ccc970e50ac2096b440738767f6e09dfec6558a546f9
                                            • Instruction Fuzzy Hash: 18F05C72B040140B8358366D185052F6796DBC076031842ADE40AC7341DD21AC03A3E7
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488BD98 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db1a6a6d65e2d249cb24cd980e45bb492ab00cb2f85f0a0682e9b0673d0dd8a3
                                            • Instruction ID: c835758f15bba1071db08527761643cdb1f6d2c3922dd7532a0f241b0dc298f5
                                            • Opcode Fuzzy Hash: db1a6a6d65e2d249cb24cd980e45bb492ab00cb2f85f0a0682e9b0673d0dd8a3
                                            • Instruction Fuzzy Hash: 6CF04F362047409FC721DF59E540846BBF5EFC57303058FAEE1AAC7A51D230F8098B55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048845B8 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 07fe16163471c6ac2ae4c6b1c49770deb2fb6f135bcf0de281c47e6b4f9b323f
                                            • Instruction ID: 70c1cb2a4f8b694d7bb0abeca6e3daf11ee4f1ce3990a8d2be4ea8450f05e903
                                            • Opcode Fuzzy Hash: 07fe16163471c6ac2ae4c6b1c49770deb2fb6f135bcf0de281c47e6b4f9b323f
                                            • Instruction Fuzzy Hash: 04F02731A0435AAFDB10E6B99C02FAFBFFCEB45611F10457AE55CE3142F230A50483A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048846A7 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c242a9eadad7e69fe418cb4cd3c4d3ec3aa0fa935988f5455c0376683a9305e
                                            • Instruction ID: 7962d0872fae25cf5e946611bb28412066a7aa65fd856478c1b73f234b1bf7a6
                                            • Opcode Fuzzy Hash: 6c242a9eadad7e69fe418cb4cd3c4d3ec3aa0fa935988f5455c0376683a9305e
                                            • Instruction Fuzzy Hash: 9AF05C313080918FDB01A7B468655FD3BE49F4260471449DAE48ACB223E40ACC039782
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04880918 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c07ef4526a37ef3d0ea305addd396d9f07525a8f72df8f9d104d9938089ca3e4
                                            • Instruction ID: 8569f81995df52e61192c07e9d36bbff829005cb8283adb5e02e4a3af1f1ee44
                                            • Opcode Fuzzy Hash: c07ef4526a37ef3d0ea305addd396d9f07525a8f72df8f9d104d9938089ca3e4
                                            • Instruction Fuzzy Hash: 59E05532F2521C9BDB106AF59D055AFB7A8A782254F024F2B8A07E3200E974680992D2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04885D88 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 171de2620d0c304b073c87c93b175b08ac2ceecc5d6f95660afb4a4bb75d2fea
                                            • Instruction ID: b0e8b119dd47c22b9d311b24001345ee91d458d14180abf53192919ce0d1f260
                                            • Opcode Fuzzy Hash: 171de2620d0c304b073c87c93b175b08ac2ceecc5d6f95660afb4a4bb75d2fea
                                            • Instruction Fuzzy Hash: D7F03A71E0428A9FCF50DFB998856EEBFF4EF89214B2445AAD245E3211E3354511CFA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E908 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44164d4eed5e04579195fb068e7061834c9de3ed5ceef8d86fb291676a3b9e1a
                                            • Instruction ID: 7330b6e0fb0fb427324ffbbf8666f02461c8fafb03881734752bd7ac05379637
                                            • Opcode Fuzzy Hash: 44164d4eed5e04579195fb068e7061834c9de3ed5ceef8d86fb291676a3b9e1a
                                            • Instruction Fuzzy Hash: 87F055353082814FE763E62988618AE7F61CFC2250360C8AFD459CF243EE62E8078BD0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488AB20 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dc5dccd67c8144b99f82e0d75ef2ecda88ecc39ddf0739b05b070d718c1b88db
                                            • Instruction ID: 1132946e9da98bb195b60b51a7f4e93c06adb0cf13d44c82228abccb430423a4
                                            • Opcode Fuzzy Hash: dc5dccd67c8144b99f82e0d75ef2ecda88ecc39ddf0739b05b070d718c1b88db
                                            • Instruction Fuzzy Hash: 3BF05531300245DBCA4DBBADE0409B933DF9BC5284340462EE00AC7395EEA0BC4283B7
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 022E0938 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559488462.00000000022E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_22e0000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
                                            • Instruction ID: c54a4959f6994670b7f326781093b5bd3d40078f1023a588cce31408bcf9ad2d
                                            • Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
                                            • Instruction Fuzzy Hash: A8F06D35104645DFC712CF40D540B15FBA2EB89718F24C6ADE9891B752C377D913DA81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048811CC Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5a920134a4a3b123f362867bd0849b1d9c6c43107134e3c918ae3331fd554d42
                                            • Instruction ID: 1f6ba3d7eb99026ce964d2a4f33c8b14a8074d5fefcdfdb3496cb11f98413ad2
                                            • Opcode Fuzzy Hash: 5a920134a4a3b123f362867bd0849b1d9c6c43107134e3c918ae3331fd554d42
                                            • Instruction Fuzzy Hash: 52F08234314108CBCA48FB28D18C9A877E6FF852097504AAED006CB676DFB47C099B41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04885EDA Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 66f8d6b5d6be2cedef89a67b192eec915ec45b555ec9f036d4aea61c05386c2a
                                            • Instruction ID: 039ef07b2ee99b471241bec7267c9912631395be1ce71725bce887f8e0c17f8f
                                            • Opcode Fuzzy Hash: 66f8d6b5d6be2cedef89a67b192eec915ec45b555ec9f036d4aea61c05386c2a
                                            • Instruction Fuzzy Hash: F6E02B303482996BC705A369582172AB7DB5BCA610F6488AFD549CB292CC656C0383A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488A168 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f56b08c8310e613c89edab810c7c52e3e1b3d3eedaf64612507dc613bdac991d
                                            • Instruction ID: 8d77525aab774a361ecacd0ff8214ce974b4bd28011cd792e26353aeea5aa7f6
                                            • Opcode Fuzzy Hash: f56b08c8310e613c89edab810c7c52e3e1b3d3eedaf64612507dc613bdac991d
                                            • Instruction Fuzzy Hash: B4F030713002448F8719A668A55446D77AADBCA36A355C93DF10ADB342FE7AEC038791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048874AF Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e8cc437362fed3f5374d8575b6c91ff9ea0b453f9906a34a17ceb56e8fe0bfd3
                                            • Instruction ID: 23e5f452badc989284844e97c134590a0ad58ce8e41bc2b9c6a4a24f49dcf3ca
                                            • Opcode Fuzzy Hash: e8cc437362fed3f5374d8575b6c91ff9ea0b453f9906a34a17ceb56e8fe0bfd3
                                            • Instruction Fuzzy Hash: 87E0ED30B416501BDB04B3BD9C703AE66828FC0A08F904ABCC007CF7D1EE645C018793
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488AAC0 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5660365ea3ee56045e629fa16ca49ab40a82ec1edc71f12594c43542c5b188e9
                                            • Instruction ID: 19206b076992bafce8ce4ca8ed11f46895672bb8afb0bba0805e245ce7174059
                                            • Opcode Fuzzy Hash: 5660365ea3ee56045e629fa16ca49ab40a82ec1edc71f12594c43542c5b188e9
                                            • Instruction Fuzzy Hash: 7EE02B34308294CFC70A77B869280787FE25F8E1063148DEFD406DB391D9724C028702
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048857A2 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 02a1feaddfcba68e9c9ef1da57973bddd42165b7a09346691c85b14e9a9f3c16
                                            • Instruction ID: a41b461b2fcacbb5be58229287c1f654dbef9417824159a3b52ccef41392eb5a
                                            • Opcode Fuzzy Hash: 02a1feaddfcba68e9c9ef1da57973bddd42165b7a09346691c85b14e9a9f3c16
                                            • Instruction Fuzzy Hash: 23F0A030B05208DBDF08BB78EA242AD33619F8020AF60CA7AD116D7196EF2468009756
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488CB5E Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32f33c25f9aa5a3b0794cac8850cf8c6d3b19b62553dc75cc1dcfb9f374dad60
                                            • Instruction ID: bb6cd6d2e755e4f41a4e8655f9899ec4af00daf85fedda052484b841cd6c4c51
                                            • Opcode Fuzzy Hash: 32f33c25f9aa5a3b0794cac8850cf8c6d3b19b62553dc75cc1dcfb9f374dad60
                                            • Instruction Fuzzy Hash: 4EE068223091988BC6212339802007D3B6ACEC657931945AFD04BCB21AFD019C06E373
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048886F8 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c65825fe09b74c20be8d6ed00bd69f18ba097ccb243d2596988975a663b0f7da
                                            • Instruction ID: 8994c04cb82aaa40efa3466878bb9a83a9f2fc8e09f965ae9745994ca977eac3
                                            • Opcode Fuzzy Hash: c65825fe09b74c20be8d6ed00bd69f18ba097ccb243d2596988975a663b0f7da
                                            • Instruction Fuzzy Hash: 95E06536E15221CFCB557B78A91816477F5D7482623058A6BE805D7310EB755C428BC1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 022E05F6 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559488462.00000000022E0000.00000040.00000020.00020000.00000000.sdmp, Offset: 022E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_22e0000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8eefc24fc8fde34cc0e81f6f98cbe2dc9fb530b78cdeac5175112cfdf761d39c
                                            • Instruction ID: 094dbe5b191d0e04232662407b76b0a73d866ba3fe84152cd8b35b108d960a79
                                            • Opcode Fuzzy Hash: 8eefc24fc8fde34cc0e81f6f98cbe2dc9fb530b78cdeac5175112cfdf761d39c
                                            • Instruction Fuzzy Hash: 2AE092766446444BD650DF0AED81452F7D8EB84630718C07FDC0D8B701D635B504CEA6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488B140 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 913ced1d5cc77474eb11259fdd4fc150150503c0e6c3d5a31c047d6721b06f1c
                                            • Instruction ID: bc0cc5918e380a06329516bebe2c324594af838787b80f5604158090c5c0c365
                                            • Opcode Fuzzy Hash: 913ced1d5cc77474eb11259fdd4fc150150503c0e6c3d5a31c047d6721b06f1c
                                            • Instruction Fuzzy Hash: 6FE09275A00B048FC3359F6AA841496FBF6FEC1B50318CA6FD0A987516D770A90B8BD1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E918 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 94756b8e2838915cd83dbb12323ee0deebb0403957947da28fd7bf602e6f858f
                                            • Instruction ID: 35ffcfa8dfb12ac5661147d12a504ca8ac37db3cd34b3e8c62fe5db35bc54d7e
                                            • Opcode Fuzzy Hash: 94756b8e2838915cd83dbb12323ee0deebb0403957947da28fd7bf602e6f858f
                                            • Instruction Fuzzy Hash: A2E0DF313046054B8722A669C92083EBB9ACBC1664350892ED46EDB302FEB2FC0287A0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E128 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d07e7cd460ad2ff845a0b6140490d36995a657c697f1356a275ca37076627e78
                                            • Instruction ID: 772b8035191bc7c0958204560a14292de09d64835006ed40cf8758512cff02dc
                                            • Opcode Fuzzy Hash: d07e7cd460ad2ff845a0b6140490d36995a657c697f1356a275ca37076627e78
                                            • Instruction Fuzzy Hash: 55E0267975E11CDFC3203A2458001F237A7EA06A0F3088E5FE08BC1A01F525B807A391
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04885EE8 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c47251bb318851af8f2a07ad91255b382d08d3d2d83bf4763f9c51f450b783b9
                                            • Instruction ID: 8fcdfa3351052ebe1699786c38349b4d5a3ccd2eeede0723f5e0cb941b869abb
                                            • Opcode Fuzzy Hash: c47251bb318851af8f2a07ad91255b382d08d3d2d83bf4763f9c51f450b783b9
                                            • Instruction Fuzzy Hash: BAE02630340219A3C6087269981172AA2CF9BC9760F20483DE609C7781CC655C0283A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04888708 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4d194e6e89703ee6116bcc4b8daad9186cada373927bc4af12600f7134d6c829
                                            • Instruction ID: c84a64968f46e20376afd08967175c4bec5782807f66f3f23822a7d3e8fccf4c
                                            • Opcode Fuzzy Hash: 4d194e6e89703ee6116bcc4b8daad9186cada373927bc4af12600f7134d6c829
                                            • Instruction Fuzzy Hash: F6E0D836F101258BCB553BBDA91422577FAEB8C661355892FE80AD3314FF745C418BD1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0078AE27 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559090999.0000000000782000.00000040.00000800.00020000.00000000.sdmp, Offset: 00782000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_782000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e70bbf635f1e53351c5bd1f474bc7db66bd382857c58bdde1764a7be0a6ce19
                                            • Instruction ID: b6882317024c1a401b09e4077bae910b815aa705d2194464060f69143402fb2c
                                            • Opcode Fuzzy Hash: 8e70bbf635f1e53351c5bd1f474bc7db66bd382857c58bdde1764a7be0a6ce19
                                            • Instruction Fuzzy Hash: 01E0D8726012446BD2109F069C85B12FB58EB90A30F04C56BED0C1F302E271B504DAF5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488EFA9 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ae90eae72b4dc75b7ad3910f5be903b1d876c98d7d86e097183fc10f9137950
                                            • Instruction ID: 10686c3a5c6b1f49582f2ccc65dbcd27f1333662b12b8b9ad73ead2fef4115a1
                                            • Opcode Fuzzy Hash: 3ae90eae72b4dc75b7ad3910f5be903b1d876c98d7d86e097183fc10f9137950
                                            • Instruction Fuzzy Hash: FFE0656574C26CCAC300662144489702B219B2020CB218FDFFE82C9083E236B542BB13
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488CBA9 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0f5e3950474408bef42b70837a9566b0286183a3afc4321b14b6bdbe33048ba
                                            • Instruction ID: 5f9763c42303a642ee5cd26f64c9b37c63f4fd0b83bdb090f2288dfd82c6aa33
                                            • Opcode Fuzzy Hash: a0f5e3950474408bef42b70837a9566b0286183a3afc4321b14b6bdbe33048ba
                                            • Instruction Fuzzy Hash: 3CE092312402059FC314AB18D550565BBA6EFC5228B14CA6ED55A8774ACB31BC13D794
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488CB70 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dad0242936c8ef4e16a0b840fb945fcc0ac52856e62d94f56485e82f49fbde66
                                            • Instruction ID: 1f0f93863f28dfdda07b6fb103b359bf114e39e6b5c1c7114aaf8f2393d7759a
                                            • Opcode Fuzzy Hash: dad0242936c8ef4e16a0b840fb945fcc0ac52856e62d94f56485e82f49fbde66
                                            • Instruction Fuzzy Hash: A2E0C23131441897C914366E811087E328A9BC55B6704562EA50BC7218FD42AC0193B3
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04885BA0 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20d069f86aac3021fde94c58f9be936412a02672a62a849d1ec1f3a22a93da5b
                                            • Instruction ID: 9ea8e518227c7fc7b14f71a3bbc41ed7ce5db79a61f1b5965b7f0b31323620d1
                                            • Opcode Fuzzy Hash: 20d069f86aac3021fde94c58f9be936412a02672a62a849d1ec1f3a22a93da5b
                                            • Instruction Fuzzy Hash: AFD0C2207060659BCA1573B818A10F92B9009CA0263048EEAA047CB297DC46480353D2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04886530 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 74fd85fb9c5d52a1810341b0b7f7a4e54b71e6a0e05ed84eb01ed80c440875c3
                                            • Instruction ID: 3776c5d609972ebfe0955a6796518f6d9fb7c4312f3c2d1a6be1adc6760129f2
                                            • Opcode Fuzzy Hash: 74fd85fb9c5d52a1810341b0b7f7a4e54b71e6a0e05ed84eb01ed80c440875c3
                                            • Instruction Fuzzy Hash: 7CD02BB03CC418C7D200339C540D76436886B40315F14416EDA0AE2245FDCAEC4083EB
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E138 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 097f50f90396525144c1ebc0531441ff7c5b18b5d377c3397d230de036ee3895
                                            • Instruction ID: 6a68634accb26d8f0cadbf8cbb8d3163d33d43a31a00102188305c61b16e4b39
                                            • Opcode Fuzzy Hash: 097f50f90396525144c1ebc0531441ff7c5b18b5d377c3397d230de036ee3895
                                            • Instruction Fuzzy Hash: 40D05E3934922CDBC6243A559800573B29AE70AA1FB048F6EF44BC2B00FA36BC01A3D1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E959 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2473f8c4b23f6d0cc9a8fb518d3037d82be6af6c4976c1008573900e7cdb1161
                                            • Instruction ID: ebc21273e01e32057a97006da0b0501ffae181af85c126da0a35dadd1ae68c2a
                                            • Opcode Fuzzy Hash: 2473f8c4b23f6d0cc9a8fb518d3037d82be6af6c4976c1008573900e7cdb1161
                                            • Instruction Fuzzy Hash: E9E0CD3160E254DFC3679A11DCC0471B721DA062053048EDFD046C7555D6F27806D7C1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04887648 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 82eb27a3ec9cb2c2623b3e6e7e85b2dadb18c107ebafd88fe12875007b837209
                                            • Instruction ID: 44821d90910efb4634b94ed3996487d2ec9ce8ca0fc70d3fcc1cefdbabba91b2
                                            • Opcode Fuzzy Hash: 82eb27a3ec9cb2c2623b3e6e7e85b2dadb18c107ebafd88fe12875007b837209
                                            • Instruction Fuzzy Hash: 1BD0C230209398CAC335F66DAC04BA277B95B01A08F540F5FC047856109666B484E392
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048857F6 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d05235d1759b7e926adfcc2b2513f20aaab0225fe527ad7bd1943a661d32d517
                                            • Instruction ID: 13dbc0c63134f3fe951cad9daa2ac8e1ee63a0a6b52eddc99c73e55c08520557
                                            • Opcode Fuzzy Hash: d05235d1759b7e926adfcc2b2513f20aaab0225fe527ad7bd1943a661d32d517
                                            • Instruction Fuzzy Hash: 96D01231F0510CDBCF04B7E9EA291ED7BB19B8422EB505ABBC11BD7152EF302455A792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04882D20 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 96211adb906f4f654cf2a0f9cd8c5e96129d706a3fb065961074568c90079817
                                            • Instruction ID: 74fe693425ec4458ff8a85dc99bebea670ee7470d51be0d086c9280261c9bb69
                                            • Opcode Fuzzy Hash: 96211adb906f4f654cf2a0f9cd8c5e96129d706a3fb065961074568c90079817
                                            • Instruction Fuzzy Hash: B8D0A7303CC29EAEE39133E05C1DFB53F645B09609F184EDB924ADE0E7B14570217246
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488016F Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10b212eb8008da00b539075375a5a500656d44d367da4fba105275ced6686546
                                            • Instruction ID: 79a9f4e12002ec61eccb40cdc437886c39d90d14d0b3a871c0a2a7dcfde771c9
                                            • Opcode Fuzzy Hash: 10b212eb8008da00b539075375a5a500656d44d367da4fba105275ced6686546
                                            • Instruction Fuzzy Hash: C0D02B312413049FCB153730E41911C3770DB812227004A7DD42287BE0EE3DE481C608
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04880650 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d40c0d030d5488159d29251a90952bf5407fca61e5ae1d2595c230c36152fb39
                                            • Instruction ID: d3863b027f154606ffc4994369032337a63d9b38a3246db76073025761390d76
                                            • Opcode Fuzzy Hash: d40c0d030d5488159d29251a90952bf5407fca61e5ae1d2595c230c36152fb39
                                            • Instruction Fuzzy Hash: 2BD097704CE3CCCFC305A3701C280A93F214EC3208B008CBEE88299423D0267496E72A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 007723F4 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559048847.0000000000772000.00000040.00000800.00020000.00000000.sdmp, Offset: 00772000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_772000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b2893036daf2f96b3712ccf7afa19d8ea8c55095dfa4ed2498a3236a235538e5
                                            • Instruction ID: e2b835bc0f305de41019ed4147b88d2c5c4b731a1ed357dc4f4b3c8c6446d16e
                                            • Opcode Fuzzy Hash: b2893036daf2f96b3712ccf7afa19d8ea8c55095dfa4ed2498a3236a235538e5
                                            • Instruction Fuzzy Hash: 9DD05E79305AC18FD7268A1CC2A8B953B94AF51B04F5688F9E8048B663C368DD82D200
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488ECE8 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
                                            • Instruction ID: c2d70cc99e68010c02f9d3c21e6dc606576b5d279851250575a17bdc6fa6f1c4
                                            • Opcode Fuzzy Hash: 5e7f8cdc54eac6eceac7fa3e0c29ad67a8d5d95c9b3f2469b5e874a7bb4d2893
                                            • Instruction Fuzzy Hash: F8C01235604228935B14756D69054E977988E05169B400A7ED908D6540EA61A919C2D2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048870F8 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
                                            • Instruction ID: 1e0a2c9fb481d76ce31279a905b5722c9340136418cd895f9a31d0f67425706c
                                            • Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
                                            • Instruction Fuzzy Hash: 04D0423AA000088FC704DB88D9859D9F7F2EB88325F28C5AAD915AB251C732ED56CA60
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488E968 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 460fbb75ddd3664dfda1db3fe08bb1520dcf42d371a70a7aba69e2b7e8d9e461
                                            • Instruction ID: 025bfdd0817df706ea92b2bbeb79783c3a55fcf0ec94e457b39b91ccd66317b4
                                            • Opcode Fuzzy Hash: 460fbb75ddd3664dfda1db3fe08bb1520dcf42d371a70a7aba69e2b7e8d9e461
                                            • Instruction Fuzzy Hash: A2D0C93121922CDB83B6AA55DC80472B36AEA4661A3004E6ED04BC6614EBF2BC06D7C1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 007723BC Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.559048847.0000000000772000.00000040.00000800.00020000.00000000.sdmp, Offset: 00772000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_772000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: db7a64986a765ad8427c19001e77ce784972d02f897f30f90d8c5ff3044b149c
                                            • Instruction ID: ef135d0b2313a54a5c5276727bf7fcd78ee06ea70355e930cb171e31522dcd26
                                            • Opcode Fuzzy Hash: db7a64986a765ad8427c19001e77ce784972d02f897f30f90d8c5ff3044b149c
                                            • Instruction Fuzzy Hash: F7D05E342006814BCB16DB0CC698F5937D4AB41B00F0694ECAC108B262C7BDDC82C600
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04885478 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a2c9d70c607f341760d126fcf4e31a38b01870afad69856c3bba0e092b733f40
                                            • Instruction ID: 1613063935e70e5f00d68a5b7734891391e919115099602723442f19958a2d70
                                            • Opcode Fuzzy Hash: a2c9d70c607f341760d126fcf4e31a38b01870afad69856c3bba0e092b733f40
                                            • Instruction Fuzzy Hash: 41D0C9B0188258ABD7243BA86C0E32D3A58A70071AF648689D00BD0431EB28A964D71A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04887DBE Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9665ce8036af5bcf8cde2cbce7ea0c9eb08688a22af9a9f3a8b8a371de240868
                                            • Instruction ID: 6ab6058a3e6f18f719c3351481b9c41da1370d21e64680a64c86714d64a51388
                                            • Opcode Fuzzy Hash: 9665ce8036af5bcf8cde2cbce7ea0c9eb08688a22af9a9f3a8b8a371de240868
                                            • Instruction Fuzzy Hash: 7AD05E30A4120CCF8B81DF71DD141AD37F0AB09251360072AE802D73D5F7341D008B10
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04885D09 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9ace94d88c53e198c50486c5eb7864d1901e5153a2a42388f7e2576a37a6ef79
                                            • Instruction ID: aa9304d8524cf4f6b29a4d8fa8d2744520329634d3adf6dab8013ac02fcde6a7
                                            • Opcode Fuzzy Hash: 9ace94d88c53e198c50486c5eb7864d1901e5153a2a42388f7e2576a37a6ef79
                                            • Instruction Fuzzy Hash: 6DD0123118D2CA9FC361676428581107F6CAD0310835809EAD948CB013E6187425D7A7
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048892B0 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8db2820722fca08a1f1d776703993c7654f94f3038121de06d74dbe9e271f677
                                            • Instruction ID: d63ce302aa6ca24753924edad135b3421194dc7d65e9f57f354599dc00010f10
                                            • Opcode Fuzzy Hash: 8db2820722fca08a1f1d776703993c7654f94f3038121de06d74dbe9e271f677
                                            • Instruction Fuzzy Hash: 02D05E6020D28CDDD2112B606D24B303F24A71520DF14098AE19A89092E3A52011A726
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04880180 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea9841ea224f0eddaa7ddca18529cd8593233d50fdd8f26d10113d87959328e1
                                            • Instruction ID: ed073b39274cc3116ea690196f961a55ab464eb4d89894a39fa66eb1a2f900c1
                                            • Opcode Fuzzy Hash: ea9841ea224f0eddaa7ddca18529cd8593233d50fdd8f26d10113d87959328e1
                                            • Instruction Fuzzy Hash: 20D01230240304CFCB083B70E41941C3375AB44207750487CD80687764EF7AE891CB44
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04885B28 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0da113e493ddfe08eb171eed2b2cdcc4e53edd6c1a371329e246a9927932ed6d
                                            • Instruction ID: f946ac7b34a24a737813d0cc2052a92d07023de33fd99a673a60dda9af1ae05c
                                            • Opcode Fuzzy Hash: 0da113e493ddfe08eb171eed2b2cdcc4e53edd6c1a371329e246a9927932ed6d
                                            • Instruction Fuzzy Hash: 92C08C30284609CFCE103BB1A90A22D77989F800087900618A40AC9020EF28E0005746
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04880660 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ccafa58bf77b6c21f0bbd4079d1b5eea667565a7daefe4b569b5331c1dc34d8b
                                            • Instruction ID: 24c13d6da576f1ef5c49c632ac594184b3afcb4b0d9de66724e195ce5c6ef0d2
                                            • Opcode Fuzzy Hash: ccafa58bf77b6c21f0bbd4079d1b5eea667565a7daefe4b569b5331c1dc34d8b
                                            • Instruction Fuzzy Hash: 9FC02B705C930CCEC208B7701C0D43973195BC2308720CD39940350031D932B491E915
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04885D18 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df079e0ae94d27ba55626f8e1903104d3d681e593ca73194c9d2cf82c0599350
                                            • Instruction ID: 4914e71bf32b234a6494be8f42ce4c55bec20904bd2e802f501b48646d40c8f6
                                            • Opcode Fuzzy Hash: df079e0ae94d27ba55626f8e1903104d3d681e593ca73194c9d2cf82c0599350
                                            • Instruction Fuzzy Hash: E1B09230284A0EEB87A03BB1690C229369DAA045093984669E90EC1010FB5DF0004A6A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04889450 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 38ac89b88a0a74c6853ab48148f5831622c0799297a4e72eb8b6c937f9d53a57
                                            • Instruction ID: ef80986635aec2303081d67c556865e029fc1ffe2ebe561fa8a70e99fc987f85
                                            • Opcode Fuzzy Hash: 38ac89b88a0a74c6853ab48148f5831622c0799297a4e72eb8b6c937f9d53a57
                                            • Instruction Fuzzy Hash: 63B0127034820A0A2750AAF12C04622328C86148053800425E80DC0000F554F4000644
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488711C Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
                                            • Instruction ID: df3e8f6e7468824ed2a3655c133ee9a14189edc930dfc3aa5b2393e35f125595
                                            • Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
                                            • Instruction Fuzzy Hash: 00B092BBB04008C9DB009A84B8423EDF730E790229F204527C31096400E23211A4A6A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488C939 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 95b2eaacfc4c69566b5510c91c2dcbc970e0a49541aa644b91ab2a6e79c6f8af
                                            • Instruction ID: 72f7302aed7056c2a71e845e855f7104a7ae85176f3621a4089d38ffe5863b40
                                            • Opcode Fuzzy Hash: 95b2eaacfc4c69566b5510c91c2dcbc970e0a49541aa644b91ab2a6e79c6f8af
                                            • Instruction Fuzzy Hash: 9AC08C304082C08FCF2B0B7800283817F60EF4320EB480CDED88246102C1B44402CB06
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04882EC0 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61beb5b9482bd215bd5c05eb983cf5261e4856c114e8279f463e22057408e8b0
                                            • Instruction ID: 743b140a263da5d8dd872260138e07a85b2ecf873df44da940a42146d05635d7
                                            • Opcode Fuzzy Hash: 61beb5b9482bd215bd5c05eb983cf5261e4856c114e8279f463e22057408e8b0
                                            • Instruction Fuzzy Hash: DAB0123064820D0B17406BB52C0CA22738C464040535405A4990CC0002F504E0902349
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488F25C Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20322a6b78a839875aae601927db82f9253a63a903efd9b2801b3968c68df488
                                            • Instruction ID: be2aae953aadbaf84679baa7fdc46c6279661de14edfaaf91f169918653f50ba
                                            • Opcode Fuzzy Hash: 20322a6b78a839875aae601927db82f9253a63a903efd9b2801b3968c68df488
                                            • Instruction Fuzzy Hash: 5DB09238689A888ACA8437B860194383B9A1A442147A4855AD85A83353FDAAA805CA53
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488F260 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08bf8cc53c57855d94d9ba7a3c3bb35eb2ac9128bd38d120a270f7a4dcf7d4ea
                                            • Instruction ID: 106a7c40685fcfb60094bb5e34531c2d6dfda81c8abac2e3de8a9abb9a851703
                                            • Opcode Fuzzy Hash: 08bf8cc53c57855d94d9ba7a3c3bb35eb2ac9128bd38d120a270f7a4dcf7d4ea
                                            • Instruction Fuzzy Hash: 77B0123458070C8BCDC033FD640942C778E1D402147C08416980DC3343FDEA78004557
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0488D310 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae0dbcbb451bcdf68bf260fa1074d286fcca4bd9c9c2665c30944d6b30bb55b0
                                            • Instruction ID: af38a7841a40c7bfdedb736826189a1fdf30bfb75943ef2c9889dd126cbd39e0
                                            • Opcode Fuzzy Hash: ae0dbcbb451bcdf68bf260fa1074d286fcca4bd9c9c2665c30944d6b30bb55b0
                                            • Instruction Fuzzy Hash: 3AB0923010938DD7C60AB719E9499593BA8BA022053E08A18F502C20DEBBAC7D05A7AA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04886500 Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 12c4ddeb27c0cd5affdc1054d01388e9d4beefdfad63af8b0db3d322664bc84a
                                            • Instruction ID: e7706933ce95c3f00bf0a8228d162d417bc3e057661d445bab37c5c4fd8de7e8
                                            • Opcode Fuzzy Hash: 12c4ddeb27c0cd5affdc1054d01388e9d4beefdfad63af8b0db3d322664bc84a
                                            • Instruction Fuzzy Hash: F0C0485900E6C04FD7072B294C668217F70AC532143EA40E7C1C48A6B3D7188806DB6A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 048801A8 Relevance: 5.1, Strings: 4, Instructions: 86COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000010.00000002.560419958.0000000004880000.00000040.00000800.00020000.00000000.sdmp, Offset: 04880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_16_2_4880000_host process.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: hfx$hfx$hfx$hfx
                                            • API String ID: 0-2125061452
                                            • Opcode ID: 812e3fac046a546d58af3efaa88bba6cdb7c071ee806e7ed9297c03248a3b6f9
                                            • Instruction ID: 8fd1805834120fbb77c60e57bafb9b8577ab2f28323f029496adb7abef7ca58e
                                            • Opcode Fuzzy Hash: 812e3fac046a546d58af3efaa88bba6cdb7c071ee806e7ed9297c03248a3b6f9
                                            • Instruction Fuzzy Hash: E421ACB4B002059FEB119E6CC880B663BE9EF8A740F10456DE542DB341EA71BC018B65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:9.8%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:3.2%
                                            Total number of Nodes:126
                                            Total number of Limit Nodes:9
                                            execution_graph 8581 61e285e 8583 61e2893 ioctlsocket 8581->8583 8584 61e28bf 8583->8584 8585 61e22de 8588 61e2313 GetProcessTimes 8585->8588 8587 61e2345 8588->8587 8589 30bafca 8590 30baff3 LookupPrivilegeValueW 8589->8590 8592 30bb01a 8590->8592 8501 61e2b1a 8502 61e2b4f WSAEventSelect 8501->8502 8504 61e2b86 8502->8504 8593 61e14da 8595 61e150f GetNetworkParams 8593->8595 8596 61e153f 8595->8596 8597 61e20d8 8598 61e207b CreateMutexW 8597->8598 8603 61e20e4 shutdown 8597->8603 8600 61e2089 8598->8600 8602 61e2174 8603->8602 8604 59bda53 8606 59bda57 8604->8606 8605 59be485 8606->8605 8607 666f0d8 2 API calls 8606->8607 8607->8606 8505 61e0892 8507 61e08c7 GetFileType 8505->8507 8508 61e08f4 8507->8508 8608 61e2cd2 8609 61e2d07 WSAConnect 8608->8609 8611 61e2d26 8609->8611 8612 61e0952 8614 61e0987 ReadFile 8612->8614 8615 61e09b9 8614->8615 8509 30ba186 8510 30ba1b1 send 8509->8510 8512 30ba1c9 8510->8512 8620 61e23ca 8621 61e2402 DuplicateHandle 8620->8621 8623 61e244f 8621->8623 8624 61e11ca 8625 61e11f6 GlobalMemoryStatusEx 8624->8625 8626 61e1235 8624->8626 8627 61e1204 8625->8627 8626->8625 8513 30baf1e 8514 30baf4a FindCloseChangeNotification 8513->8514 8515 30baf89 8513->8515 8516 30baf58 8514->8516 8515->8514 8628 61e0c46 8629 61e0c96 RegEnumKeyExW 8628->8629 8630 61e0ca4 8629->8630 8517 59bdebb 8519 59bdec2 8517->8519 8518 59be485 8519->8518 8521 666f0d8 8519->8521 8523 666f0f8 8521->8523 8522 666f175 8522->8519 8523->8522 8526 30bada3 8523->8526 8530 30badd6 8523->8530 8527 30bada9 MkParseDisplayName 8526->8527 8529 30bae34 8527->8529 8529->8523 8531 30badfd MkParseDisplayName 8530->8531 8533 30bae34 8531->8533 8533->8523 8631 61e2bfe 8634 61e2c33 GetAdaptersAddresses 8631->8634 8633 61e2c6c 8634->8633 8635 61e267e 8636 61e26b9 getaddrinfo 8635->8636 8638 61e272b 8636->8638 8537 61e293a 8538 61e296f WSAIoctl 8537->8538 8540 61e29bd 8538->8540 8639 61e077a 8640 61e07b2 CreateFileW 8639->8640 8642 61e0801 8640->8642 8643 30baaee 8644 30bab2c DuplicateHandle 8643->8644 8645 30bab64 8643->8645 8646 30bab3a 8644->8646 8645->8644 8541 61e0a36 8542 61e0a94 8541->8542 8543 61e0a62 FindClose 8541->8543 8542->8543 8544 61e0a77 8543->8544 8545 61e17b6 8546 61e17ee setsockopt 8545->8546 8547 61e1826 8545->8547 8548 61e17fc 8546->8548 8547->8546 8647 30bb362 8648 30bb3c2 8647->8648 8649 30bb397 NtQuerySystemInformation 8647->8649 8648->8649 8650 30bb3ac 8649->8650 8549 61e0032 8550 61e006d LoadLibraryA 8549->8550 8552 61e00aa 8550->8552 8553 61e16b2 8555 61e16ea WSASocketW 8553->8555 8556 61e1726 8555->8556 8651 30bb1e6 8652 30bb215 AdjustTokenPrivileges 8651->8652 8654 30bb237 8652->8654 8655 666e108 8656 666e12c 8655->8656 8657 666e171 LdrInitializeThunk 8656->8657 8658 666e18e 8657->8658 8557 30bacba 8559 30bacef RegQueryValueExW 8557->8559 8560 30bad43 8559->8560 8561 30ba23a 8562 30ba266 SetErrorMode 8561->8562 8564 30ba28f 8561->8564 8563 30ba27b 8562->8563 8564->8562 8663 61e1c6a 8666 61e1ca2 OpenFileMappingW 8663->8666 8665 61e1cdd 8666->8665 8667 61e1d6a 8668 61e1da2 MapViewOfFile 8667->8668 8670 61e1df1 8668->8670 8565 30ba0be 8566 30ba0e9 WSAStartup 8565->8566 8568 30ba116 8566->8568 8569 30babb2 8570 30babea RegOpenKeyExW 8569->8570 8572 30bac40 8570->8572 8573 30ba7b6 8574 30ba818 8573->8574 8575 30ba7e2 closesocket 8573->8575 8574->8575 8576 30ba7f0 8575->8576

                                            Executed Functions

                                            Function 059B0007 Relevance: 12.8, Strings: 1, Instructions: 11597COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ~
                                            • API String ID: 0-3322473477
                                            • Opcode ID: c685935ae7449da0e700162424f94019fc1446bbb20969eee0ac2740dc30ba3e
                                            • Instruction ID: 55f747f7dd30e57c3fed85d52e1f718a1440d4c1a28247cea0b01ea0aff382b2
                                            • Opcode Fuzzy Hash: c685935ae7449da0e700162424f94019fc1446bbb20969eee0ac2740dc30ba3e
                                            • Instruction Fuzzy Hash: D2348F30A01348CFF360DB24C6587DB76EABBC5314F998C6A45492F392CBB59D82D792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BDA53 Relevance: 4.4, Strings: 3, Instructions: 629COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2490 59bda53-59bda55 2491 59bda77-59bda98 call 59be760 2490->2491 2492 59bda57-59bda75 2490->2492 2496 59bdaa3 2491->2496 2492->2491 2497 59bdaa8-59bdabd 2496->2497 2498 59bdcb9-59bdce7 call 59bd208 * 2 2497->2498 2499 59bdac3 2497->2499 2559 59bdcee-59bdcfb 2498->2559 2499->2496 2499->2498 2500 59bdaca-59bdb26 call 59bd208 * 2 2499->2500 2501 59bdbd9-59bdbe8 2499->2501 2502 59bdb28-59bdb5d call 59bd208 * 2 2499->2502 2503 59bdc8e-59bdca3 2499->2503 2504 59bdc0e-59bdc29 2499->2504 2505 59bdb73-59bdba5 2499->2505 2506 59bdc41-59bdc89 2499->2506 2500->2497 2522 59bdbf1-59bdbf8 2501->2522 2502->2559 2576 59bdb63-59bdb6e 2502->2576 2517 59bdca9-59bdcb4 2503->2517 2518 59be0c6-59be0cb 2503->2518 2526 59bdc31-59bdc3c 2504->2526 2568 59bdbae-59bdbd4 2505->2568 2506->2497 2517->2497 2528 59be0d4 2518->2528 2522->2518 2529 59bdbfe-59bdc09 2522->2529 2526->2497 2532 59be0d9-59be0ee 2528->2532 2529->2497 2538 59be365-59be36d 2532->2538 2539 59be0f4 2532->2539 2556 59be374 2538->2556 2539->2528 2539->2538 2542 59be0fb-59be149 2539->2542 2543 59be2fa-59be30b 2539->2543 2544 59be1d8-59be21d 2539->2544 2545 59be2bc-59be2d1 2539->2545 2546 59be310-59be317 2539->2546 2547 59be296-59be2b7 2539->2547 2548 59be14b-59be185 2539->2548 2549 59be18a-59be18f 2539->2549 2550 59be349-59be34f call 59bf2b3 2539->2550 2551 59be1a8-59be1c2 call 59bd208 2539->2551 2552 59be323-59be344 2539->2552 2553 59be2e3-59be2ea 2539->2553 2554 59be222-59be291 2539->2554 2542->2532 2543->2532 2544->2532 2545->2553 2577 59be2d3-59be2de 2545->2577 2546->2553 2560 59be319-59be31e 2546->2560 2547->2532 2548->2532 2563 59be198-59be1a3 2549->2563 2574 59be355-59be360 2550->2574 2551->2546 2592 59be1c8-59be1d3 2551->2592 2552->2532 2553->2556 2558 59be2f0-59be2f5 2553->2558 2554->2532 2707 59be374 call 32105f6 2556->2707 2708 59be374 call 32105cf 2556->2708 2558->2532 2587 59bde1b-59bde28 2559->2587 2588 59bdd01-59bdd0c 2559->2588 2560->2532 2563->2532 2568->2497 2574->2532 2575 59be37a-59be392 2595 59be39b 2575->2595 2576->2497 2577->2532 2604 59bde2e-59bde3b 2587->2604 2605 59bdefc-59bdf19 call 59bd208 2587->2605 2606 59bdd0f 2588->2606 2592->2532 2602 59be3a0-59be3b5 2595->2602 2608 59be3bb 2602->2608 2609 59be485-59be493 2602->2609 2623 59bde5b-59bde75 2604->2623 2624 59bde3d-59bde48 2604->2624 2626 59bdf1b 2605->2626 2611 59bdd14-59bdd29 2606->2611 2608->2595 2608->2609 2615 59be3dc-59be3ee call 666f0d8 2608->2615 2616 59be3c2-59be3c9 2608->2616 2617 59be401-59be46b 2608->2617 2672 59be498-59be49f 2609->2672 2611->2587 2619 59bdd2f 2611->2619 2676 59be3f4-59be3ff 2615->2676 2616->2609 2622 59be3cf-59be3da 2616->2622 2703 59be475-59be480 2617->2703 2619->2518 2619->2587 2619->2605 2619->2606 2625 59bde7b 2619->2625 2619->2626 2627 59bddb8-59bddcd 2619->2627 2628 59bdd5f-59bdd6d 2619->2628 2629 59bde9e-59bdeb9 2619->2629 2630 59be03d-59be0ab 2619->2630 2631 59bddd2-59bddd8 2619->2631 2632 59bdd50-59bdd5d 2619->2632 2633 59bdef7 2619->2633 2634 59bdd36-59bdd4e 2619->2634 2635 59bdfb6-59be005 call 59bd208 2619->2635 2636 59bdf94-59bdfb1 2619->2636 2637 59be00a-59be038 2619->2637 2638 59bdde8-59bddfb 2619->2638 2639 59bdd6f-59bdd7d 2619->2639 2640 59bdd8c-59bddb3 2619->2640 2641 59bdec2 2619->2641 2642 59bdf42-59bdf81 call 59bd208 * 2 2619->2642 2643 59bdee5-59bdef5 2619->2643 2622->2602 2623->2605 2623->2625 2624->2623 2651 59bde80-59bde95 2625->2651 2646 59bdf20-59bdf35 2626->2646 2627->2611 2628->2611 2629->2641 2629->2651 2630->2646 2631->2634 2650 59bddde-59bdde3 2631->2650 2632->2611 2633->2605 2634->2611 2635->2646 2636->2646 2637->2646 2638->2611 2639->2628 2675 59bdd7f-59bdd8a 2639->2675 2640->2611 2656 59bdec7-59bdedc 2641->2656 2642->2518 2698 59bdf87-59bdf92 2642->2698 2643->2656 2646->2518 2661 59bdf3b 2646->2661 2650->2611 2651->2605 2666 59bde97 2651->2666 2656->2633 2657 59bdede 2656->2657 2657->2518 2657->2548 2657->2626 2657->2630 2657->2633 2657->2635 2657->2636 2657->2637 2657->2641 2657->2642 2657->2643 2661->2518 2661->2548 2661->2551 2661->2552 2661->2626 2661->2630 2661->2635 2661->2636 2661->2637 2661->2642 2666->2518 2666->2548 2666->2605 2666->2625 2666->2626 2666->2629 2666->2630 2666->2633 2666->2635 2666->2636 2666->2637 2666->2641 2666->2642 2666->2643 2675->2611 2676->2602 2698->2646 2703->2602 2707->2575 2708->2575
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: W )$Zfo^$-Zfo^
                                            • API String ID: 0-216439878
                                            • Opcode ID: 638f72a6b26125c244bbcc104a0383b18c881dfa05d07a8c9b25fec94986ca84
                                            • Instruction ID: 1cf9a370c7f063369fbbd826c60665427f09527d46143972b3a5b945224c86ba
                                            • Opcode Fuzzy Hash: 638f72a6b26125c244bbcc104a0383b18c881dfa05d07a8c9b25fec94986ca84
                                            • Instruction Fuzzy Hash: F932B330B242458BE708DB78D6946ADBBBBBBC5300F54886AD406AF394DFB5DD41CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BDE4A Relevance: 4.1, Strings: 3, Instructions: 386COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2709 59bde4a-59bde75 2714 59bde7b 2709->2714 2715 59bdefc-59bdf19 call 59bd208 2709->2715 2717 59bde80-59bde95 2714->2717 2720 59bdf1b 2715->2720 2717->2715 2719 59bde97 2717->2719 2719->2714 2719->2715 2719->2720 2721 59bde9e-59bdeb9 2719->2721 2722 59be03d-59be0ab 2719->2722 2723 59bdef7 2719->2723 2724 59bdfb6-59be005 call 59bd208 2719->2724 2725 59bdf94-59bdfb1 2719->2725 2726 59be14b-59be185 2719->2726 2727 59be00a-59be038 2719->2727 2728 59bdec2 2719->2728 2729 59bdf42-59bdf81 call 59bd208 * 2 2719->2729 2730 59be0c6-59be0cb 2719->2730 2731 59bdee5-59bdef5 2719->2731 2735 59bdf20-59bdf35 2720->2735 2721->2717 2721->2728 2722->2735 2723->2715 2724->2735 2725->2735 2753 59be0d9-59be0ee 2726->2753 2727->2735 2738 59bdec7-59bdedc 2728->2738 2729->2730 2803 59bdf87-59bdf92 2729->2803 2746 59be0d4 2730->2746 2731->2738 2735->2730 2744 59bdf3b 2735->2744 2738->2723 2740 59bdede 2738->2740 2740->2720 2740->2722 2740->2723 2740->2724 2740->2725 2740->2726 2740->2727 2740->2728 2740->2729 2740->2730 2740->2731 2744->2720 2744->2722 2744->2724 2744->2725 2744->2726 2744->2727 2744->2729 2744->2730 2751 59be1a8-59be1c2 call 59bd208 2744->2751 2752 59be323-59be344 2744->2752 2746->2753 2769 59be310-59be317 2751->2769 2796 59be1c8-59be1d3 2751->2796 2752->2753 2759 59be365-59be36d 2753->2759 2760 59be0f4 2753->2760 2776 59be374 2759->2776 2760->2726 2760->2746 2760->2751 2760->2752 2760->2759 2765 59be0fb-59be149 2760->2765 2766 59be2fa-59be30b 2760->2766 2767 59be1d8-59be21d 2760->2767 2768 59be2bc-59be2d1 2760->2768 2760->2769 2770 59be296-59be2b7 2760->2770 2771 59be18a-59be18f 2760->2771 2772 59be349-59be34f call 59bf2b3 2760->2772 2773 59be2e3-59be2ea 2760->2773 2774 59be222-59be291 2760->2774 2765->2753 2766->2753 2767->2753 2768->2773 2798 59be2d3-59be2de 2768->2798 2769->2773 2782 59be319-59be31e 2769->2782 2770->2753 2783 59be198-59be1a3 2771->2783 2793 59be355-59be360 2772->2793 2773->2776 2780 59be2f0-59be2f5 2773->2780 2774->2753 2839 59be374 call 32105f6 2776->2839 2840 59be374 call 32105cf 2776->2840 2780->2753 2782->2753 2783->2753 2793->2753 2794 59be37a-59be392 2807 59be39b 2794->2807 2796->2753 2798->2753 2803->2735 2810 59be3a0-59be3b5 2807->2810 2812 59be3bb 2810->2812 2813 59be485-59be493 2810->2813 2812->2807 2812->2813 2816 59be3dc-59be3df 2812->2816 2817 59be3c2-59be3c9 2812->2817 2818 59be401-59be462 2812->2818 2825 59be498-59be49f 2813->2825 2822 59be3e6-59be3ee call 666f0d8 2816->2822 2817->2813 2821 59be3cf-59be3da 2817->2821 2835 59be469-59be46b 2818->2835 2821->2810 2826 59be3f4-59be3ff 2822->2826 2826->2810 2836 59be475-59be480 2835->2836 2836->2810 2839->2794 2840->2794
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: W )$Zfo^$-Zfo^
                                            • API String ID: 0-216439878
                                            • Opcode ID: c21296702ccacfa526c5849c236bb8b1dee8425b4e61c52842f6c58faf490f3d
                                            • Instruction ID: fa467e57375b83135f969cb554e372800ad3fea447ad2ab91b60ae071eef8b71
                                            • Opcode Fuzzy Hash: c21296702ccacfa526c5849c236bb8b1dee8425b4e61c52842f6c58faf490f3d
                                            • Instruction Fuzzy Hash: 5BE1E234B282448BE708DB78D6947EDBBABBBC1300F54886AD406AF395DFB5DD418781
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BDEBB Relevance: 4.1, Strings: 3, Instructions: 362COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2841 59bdebb 2842 59bdec2 2841->2842 2843 59bdec7-59bdedc 2842->2843 2844 59bdede 2843->2844 2845 59bdef7-59bdf19 call 59bd208 2843->2845 2844->2842 2844->2845 2846 59bdf1b 2844->2846 2847 59be14b-59be185 2844->2847 2848 59be00a-59be038 2844->2848 2849 59be03d-59be0ab 2844->2849 2850 59bdf42-59bdf81 call 59bd208 * 2 2844->2850 2851 59be0c6-59be0cb 2844->2851 2852 59bdfb6-59be005 call 59bd208 2844->2852 2853 59bdee5-59bdef5 2844->2853 2854 59bdf94-59bdfb1 2844->2854 2845->2846 2858 59bdf20-59bdf35 2846->2858 2871 59be0d9-59be0ee 2847->2871 2848->2858 2849->2858 2850->2851 2926 59bdf87-59bdf92 2850->2926 2863 59be0d4 2851->2863 2852->2858 2853->2843 2854->2858 2858->2851 2869 59bdf3b 2858->2869 2863->2871 2869->2846 2869->2847 2869->2848 2869->2849 2869->2850 2869->2851 2869->2852 2869->2854 2874 59be1a8-59be1c2 call 59bd208 2869->2874 2875 59be323-59be344 2869->2875 2879 59be365-59be36d 2871->2879 2880 59be0f4 2871->2880 2889 59be310-59be317 2874->2889 2919 59be1c8-59be1d3 2874->2919 2875->2871 2899 59be374 2879->2899 2880->2847 2880->2863 2880->2874 2880->2875 2880->2879 2885 59be0fb-59be149 2880->2885 2886 59be2fa-59be30b 2880->2886 2887 59be1d8-59be21d 2880->2887 2888 59be2bc-59be2d1 2880->2888 2880->2889 2890 59be296-59be2b7 2880->2890 2891 59be18a-59be18f 2880->2891 2892 59be349-59be34f call 59bf2b3 2880->2892 2893 59be2e3-59be2ea 2880->2893 2894 59be222-59be291 2880->2894 2885->2871 2886->2871 2887->2871 2888->2893 2920 59be2d3-59be2de 2888->2920 2889->2893 2905 59be319-59be31e 2889->2905 2890->2871 2906 59be198-59be1a3 2891->2906 2916 59be355-59be360 2892->2916 2893->2899 2903 59be2f0-59be2f5 2893->2903 2894->2871 2962 59be374 call 32105f6 2899->2962 2963 59be374 call 32105cf 2899->2963 2903->2871 2905->2871 2906->2871 2916->2871 2917 59be37a-59be392 2930 59be39b 2917->2930 2919->2871 2920->2871 2926->2858 2933 59be3a0-59be3b5 2930->2933 2935 59be3bb 2933->2935 2936 59be485-59be493 2933->2936 2935->2930 2935->2936 2939 59be3dc-59be3ee call 666f0d8 2935->2939 2940 59be3c2-59be3c9 2935->2940 2941 59be401-59be46b 2935->2941 2948 59be498-59be49f 2936->2948 2949 59be3f4-59be3ff 2939->2949 2940->2936 2944 59be3cf-59be3da 2940->2944 2959 59be475-59be480 2941->2959 2944->2933 2949->2933 2959->2933 2962->2917 2963->2917
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: W )$Zfo^$-Zfo^
                                            • API String ID: 0-216439878
                                            • Opcode ID: a9ed0cb96ba526943120419bf6f03ba5959493bccd95d3d03c2eb5e41807cbf5
                                            • Instruction ID: 8fbcac6cb57fb93e794f20dbb312a53e310596cf1ff55fa69d5b68d3088d8610
                                            • Opcode Fuzzy Hash: a9ed0cb96ba526943120419bf6f03ba5959493bccd95d3d03c2eb5e41807cbf5
                                            • Instruction Fuzzy Hash: 94E1F334B282448BE708DF78D6947EDBBABBB81300F54886AD406AF395DFB5DD418781
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0666E108 Relevance: 1.7, APIs: 1, Instructions: 206libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3061 666e108-666e146 3116 666e14b call 59bd1fb 3061->3116 3117 666e14b call 59bd208 3061->3117 3065 666e150-666e188 LdrInitializeThunk 3069 666e18e-666e1a4 3065->3069 3070 666e368-666e36d 3065->3070 3073 666e1a7 3069->3073 3074 666e374 3070->3074 3075 666e1ac-666e1c1 3073->3075 3076 666e379-666e38e 3074->3076 3077 666e1c7 3075->3077 3078 666e3c5-666e3cf 3075->3078 3079 666e390 3076->3079 3080 666e3bb-666e3c0 3076->3080 3077->3073 3077->3074 3077->3078 3077->3080 3081 666e397-666e3b9 3077->3081 3082 666e244-666e2f8 3077->3082 3083 666e1ce-666e219 3077->3083 3084 666e31c-666e330 3077->3084 3085 666e2fd-666e304 3077->3085 3079->3074 3079->3080 3079->3081 3080->3078 3081->3076 3082->3075 3101 666e21f 3083->3101 3102 666e21b-666e21d 3083->3102 3092 666e336 3084->3092 3093 666e332-666e334 3084->3093 3085->3070 3086 666e306-666e317 3085->3086 3086->3075 3094 666e339-666e363 3092->3094 3093->3094 3094->3075 3103 666e222-666e23f 3101->3103 3102->3103 3103->3075 3116->3065 3117->3065
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560948291.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6660000_O.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 841e9582663d2d4283e467482901d47a2f9fc26ed9f1ab2bd488cd7798b56ab3
                                            • Instruction ID: 1b241bf62a79dc76a8a71c2e7ab8c7ca5c9e159e00cf3bd94f10b9f13f9fffe3
                                            • Opcode Fuzzy Hash: 841e9582663d2d4283e467482901d47a2f9fc26ed9f1ab2bd488cd7798b56ab3
                                            • Instruction Fuzzy Hash: A671AF34B10249DFDB44EBB8D990AAEB7B6FB88300F148929E505EB390DB71DD41CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BB1AF Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 030BB22F
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: AdjustPrivilegesToken
                                            • String ID:
                                            • API String ID: 2874748243-0
                                            • Opcode ID: 81c652d858ad987f6cd348f1ddc2070a08d84805c3fbb59917601f784bf76794
                                            • Instruction ID: 8a6544a34d198be0bc017e6983ed382ef64fa0aaf181d6e953a834229c4d3ff7
                                            • Opcode Fuzzy Hash: 81c652d858ad987f6cd348f1ddc2070a08d84805c3fbb59917601f784bf76794
                                            • Instruction Fuzzy Hash: 522194755097849FDB22CF25DC40B52BFF4EF06210F0985DAE9858F563D2759908CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BB331 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQuerySystemInformation.NTDLL ref: 030BB39D
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: InformationQuerySystem
                                            • String ID:
                                            • API String ID: 3562636166-0
                                            • Opcode ID: 0a72fbf6fb2fdfcf241eb56a59c1b6fc594aed0579754969a05b72d755079e3a
                                            • Instruction ID: 2841dac9d622a026fe69fd21fd23db27ac2dccaaa67b84124329904c399aa769
                                            • Opcode Fuzzy Hash: 0a72fbf6fb2fdfcf241eb56a59c1b6fc594aed0579754969a05b72d755079e3a
                                            • Instruction Fuzzy Hash: ED118E724097C09FDB22CF14DC45A92FFB4EF06324F0984DAE9849F263D265A918CB72
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BB1E6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 030BB22F
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: AdjustPrivilegesToken
                                            • String ID:
                                            • API String ID: 2874748243-0
                                            • Opcode ID: 102b2ebd188f277bf289a9032590100bf813aae1408e26fe6fb25ca09a93ce95
                                            • Instruction ID: b2977819922b365d6f9bd0baa8e44df805c9a87ab74f89a9151eba0874082426
                                            • Opcode Fuzzy Hash: 102b2ebd188f277bf289a9032590100bf813aae1408e26fe6fb25ca09a93ce95
                                            • Instruction Fuzzy Hash: 291173355012449FDB21CF55D984B6AFBE4EF04320F08C8AADD858B612D331E414CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BB362 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQuerySystemInformation.NTDLL ref: 030BB39D
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: InformationQuerySystem
                                            • String ID:
                                            • API String ID: 3562636166-0
                                            • Opcode ID: 3f943d3c483eea141040250e2c86e3a665677c38eccea61bc9c57d460ab5fcc7
                                            • Instruction ID: cb78c29635b6d79751e339371eec7ee513405d12b3ffcdceb2ad20a5b46ae215
                                            • Opcode Fuzzy Hash: 3f943d3c483eea141040250e2c86e3a665677c38eccea61bc9c57d460ab5fcc7
                                            • Instruction Fuzzy Hash: EE0178354006409FDB21CF49D984B69FFA4EF48720F08889ADE894B612C2B5A418CF76
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BD1FB Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: dc60f63264eb7b83bd35c6b1f353453edeb63f56014d8c9c63c53ac244761f0c
                                            • Instruction ID: f94fc0127bc348cfb1349e49662871ba4cc95473a569f0cbaf58b06f9c08dbe6
                                            • Opcode Fuzzy Hash: dc60f63264eb7b83bd35c6b1f353453edeb63f56014d8c9c63c53ac244761f0c
                                            • Instruction Fuzzy Hash: F8619575F012199BEF04CFE8DA556EEFBB7EB89200F114916E905BB390C670ED058B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BD208 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 63f1594f3d1275260e7680282144593ec004dc2387611b51205364a028988c94
                                            • Instruction ID: b02c50584c30e2ee01b3206ae79178fd4ca5a481d2415f0da9d850b6418d2b29
                                            • Opcode Fuzzy Hash: 63f1594f3d1275260e7680282144593ec004dc2387611b51205364a028988c94
                                            • Instruction Fuzzy Hash: 5E618475F112199BEF04CFE8DA556EEFBB7EB88200F218916E905BB390C670DD058B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BE8CB Relevance: .1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e688250fea5b11398056dceb5109aa568d4e824031bf81b1896b334414115907
                                            • Instruction ID: 316a87ddc5f01ee895b22aa6080c01097627fa48f69723f6cbc5bd9ce7aefc91
                                            • Opcode Fuzzy Hash: e688250fea5b11398056dceb5109aa568d4e824031bf81b1896b334414115907
                                            • Instruction Fuzzy Hash: C7419574F102189BFB58E6B9DA557EEAAEFABC8700F148825E406EB384DD7498008791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BE8D8 Relevance: .1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3047b6c76f734e304976d8ee42c797a20635eaeb43ad688926582b9a05925bd
                                            • Instruction ID: 894b1e866cec543d5ecf841e830b44d71fc6666c1a7a81492c4539167b21f00e
                                            • Opcode Fuzzy Hash: a3047b6c76f734e304976d8ee42c797a20635eaeb43ad688926582b9a05925bd
                                            • Instruction Fuzzy Hash: 0B418774F102189BFB58E7B99A547EEBAEFBBC8700F148825D506EB384DE749C008795
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E20D8 Relevance: 3.1, APIs: 2, Instructions: 113synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2964 61e20d8-61e20e2 2965 61e20cc-61e20cf CreateMutexW 2964->2965 2966 61e20e4 2964->2966 2971 61e2089-61e209f 2965->2971 2968 61e20fe-61e2164 2966->2968 2969 61e20e6-61e20fb 2966->2969 2978 61e21a6-61e21ab 2968->2978 2979 61e2166-61e216e shutdown 2968->2979 2969->2968 2972 61e20d1-61e20d6 2971->2972 2973 61e20a1-61e20c7 2971->2973 2972->2973 2978->2979 2980 61e2174-61e2186 2979->2980 2982 61e21ad-61e21b2 2980->2982 2983 61e2188-61e21a5 2980->2983 2982->2983
                                            APIs
                                            • CreateMutexW.KERNELBASE(?,?), ref: 061E2081
                                            • shutdown.WS2_32(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E216C
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: CreateMutexshutdown
                                            • String ID:
                                            • API String ID: 3897568296-0
                                            • Opcode ID: e2d0fa01f91156e198ea29c7175511377da3321b53d066808b7159a74c787989
                                            • Instruction ID: 85f1cac9b021959039e0b0c4d3e8c69ab5e7d9e1122ba390cbdb4e24c1f82edb
                                            • Opcode Fuzzy Hash: e2d0fa01f91156e198ea29c7175511377da3321b53d066808b7159a74c787989
                                            • Instruction Fuzzy Hash: A13124B1405780AFE711CF54DD45BA6BFA8EF46320F0884AAE944DF292D335A904CBB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E1655 Relevance: 1.6, APIs: 1, Instructions: 107networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3329 61e1655-61e1683 3331 61e16a5 3329->3331 3332 61e1685-61e16a2 3329->3332 3333 61e1719-61e1720 WSASocketW 3331->3333 3334 61e16a7-61e1716 3331->3334 3332->3331 3336 61e1726-61e173c 3333->3336 3343 61e1718 3334->3343 3344 61e1767-61e176c 3334->3344 3337 61e176e-61e1773 3336->3337 3338 61e173e-61e1764 3336->3338 3337->3338 3343->3333 3344->3343
                                            APIs
                                            • WSASocketW.WS2_32(?,?,?,?,?), ref: 061E171E
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: Socket
                                            • String ID:
                                            • API String ID: 38366605-0
                                            • Opcode ID: 2e2d3394513d73321d4fb948800c90eded3a883113faeae9900f0dd7a2b6948a
                                            • Instruction ID: 17400536403c320e6a8adf432468a17614d2da843b6c0d9393707773b5e198b4
                                            • Opcode Fuzzy Hash: 2e2d3394513d73321d4fb948800c90eded3a883113faeae9900f0dd7a2b6948a
                                            • Instruction Fuzzy Hash: 23416A714097C0AFE7138B25CC55B96BFB4AF07210F0985DBE9858F1A3C365A808CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BAB72 Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3346 30bab72-30bac0d 3350 30bac0f 3346->3350 3351 30bac12-30bac29 3346->3351 3350->3351 3353 30bac6b-30bac70 3351->3353 3354 30bac2b-30bac3e RegOpenKeyExW 3351->3354 3353->3354 3355 30bac72-30bac77 3354->3355 3356 30bac40-30bac68 3354->3356 3355->3356
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 030BAC31
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: 25e521c01b4f7b22e8dce25b99d7eeca3d2a7e8c4ba1c7940de1598dcc465bcd
                                            • Instruction ID: de7b1cfc10fd9805b567c5f975674fb6caba295848ca03371922ebf44c3047ef
                                            • Opcode Fuzzy Hash: 25e521c01b4f7b22e8dce25b99d7eeca3d2a7e8c4ba1c7940de1598dcc465bcd
                                            • Instruction Fuzzy Hash: 1631A3725093846FE722CB25CC45FA6BFBCEF06310F0885DBE9809B153D264A909C771
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E264F Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3361 61e264f-61e271b 3367 61e276d-61e2772 3361->3367 3368 61e271d-61e2725 getaddrinfo 3361->3368 3367->3368 3369 61e272b-61e273d 3368->3369 3371 61e273f-61e276a 3369->3371 3372 61e2774-61e2779 3369->3372 3372->3371
                                            APIs
                                            • getaddrinfo.WS2_32(?,00000E2C), ref: 061E2723
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: getaddrinfo
                                            • String ID:
                                            • API String ID: 300660673-0
                                            • Opcode ID: b7b947e917a607e169c592ff723c6faef53b0851d42dbe25b7e50de784c0e39a
                                            • Instruction ID: 2ec96fd2e6a919c75d28e89298a5570533add7bef9b27397553fa5769b7e6d4c
                                            • Opcode Fuzzy Hash: b7b947e917a607e169c592ff723c6faef53b0851d42dbe25b7e50de784c0e39a
                                            • Instruction Fuzzy Hash: E931D471404384AFEB22CF24CC95FA6BFACEF06310F14859AE9849F182D375A949CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E23A8 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3376 61e23a8-61e243f 3381 61e2497-61e249c 3376->3381 3382 61e2441-61e2449 DuplicateHandle 3376->3382 3381->3382 3384 61e244f-61e2461 3382->3384 3385 61e249e-61e24a3 3384->3385 3386 61e2463-61e2494 3384->3386 3385->3386
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 061E2447
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: c0e4586a6e11550fc4a7f011b9aba127802cd60ff631a2a2dfa4b76372266ae6
                                            • Instruction ID: 896d27bec0e333842ea20ab3992e12db0d3114d49abbb096db056dd30004e107
                                            • Opcode Fuzzy Hash: c0e4586a6e11550fc4a7f011b9aba127802cd60ff631a2a2dfa4b76372266ae6
                                            • Instruction Fuzzy Hash: 5B31D172500344AFEB228F65CD44F66BFACEF05320F0489AAED85DB152D224A948CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E2901 Relevance: 1.6, APIs: 1, Instructions: 92networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3390 61e2901-61e298b 3394 61e298d 3390->3394 3395 61e2990-61e2999 3390->3395 3394->3395 3396 61e299e-61e29ad 3395->3396 3397 61e299b 3395->3397 3398 61e29af-61e29b7 WSAIoctl 3396->3398 3399 61e29f1-61e29f6 3396->3399 3397->3396 3400 61e29bd-61e29cf 3398->3400 3399->3398 3402 61e29f8-61e29fd 3400->3402 3403 61e29d1-61e29ee 3400->3403 3402->3403
                                            APIs
                                            • WSAIoctl.WS2_32(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E29B5
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: Ioctl
                                            • String ID:
                                            • API String ID: 3041054344-0
                                            • Opcode ID: b180dfda79e66d61ede4ebbd6884bff44bde5cc92a2636e0cc0ab171e69413ed
                                            • Instruction ID: 2d8c8d4200475d5607734a8f85721157e54fa725a814785d7d3176155d7940e9
                                            • Opcode Fuzzy Hash: b180dfda79e66d61ede4ebbd6884bff44bde5cc92a2636e0cc0ab171e69413ed
                                            • Instruction Fuzzy Hash: 69316171505784AFEB228F25CD44F62BFB8EF06310F08859AE9859B162D335E949CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0758 Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3406 61e0758-61e07d2 3410 61e07d7-61e07e3 3406->3410 3411 61e07d4 3406->3411 3412 61e07e8-61e07f1 3410->3412 3413 61e07e5 3410->3413 3411->3410 3414 61e0842-61e0847 3412->3414 3415 61e07f3-61e0817 CreateFileW 3412->3415 3413->3412 3414->3415 3418 61e0849-61e084e 3415->3418 3419 61e0819-61e083f 3415->3419 3418->3419
                                            APIs
                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 061E07F9
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 2b3302116b2f993b7e07351462f5f5e69ed0fff4a178e37980820b591f23954f
                                            • Instruction ID: 41c96017a80519c035c05299881de107d2f65bf6c3ac0223850a36bccdcb9e48
                                            • Opcode Fuzzy Hash: 2b3302116b2f993b7e07351462f5f5e69ed0fff4a178e37980820b591f23954f
                                            • Instruction Fuzzy Hash: E831AF71904380AFE722CF65CC44F66BFE8EF09210F0884AEE9859B252D375E818CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E22A0 Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3422 61e22a0-61e2335 3427 61e2337-61e233f GetProcessTimes 3422->3427 3428 61e2382-61e2387 3422->3428 3429 61e2345-61e2357 3427->3429 3428->3427 3431 61e2389-61e238e 3429->3431 3432 61e2359-61e237f 3429->3432 3431->3432
                                            APIs
                                            • GetProcessTimes.KERNELBASE(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E233D
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: ProcessTimes
                                            • String ID:
                                            • API String ID: 1995159646-0
                                            • Opcode ID: 6313156dbfdaa5f8f2ad8e84f55d980a58bb4caa39f0658ea43c358aee09bfe1
                                            • Instruction ID: 0b28fb9fd7b41529bd085a4df5c6eff0ee8c9fd1f7dc9386e91932b9376fd2d8
                                            • Opcode Fuzzy Hash: 6313156dbfdaa5f8f2ad8e84f55d980a58bb4caa39f0658ea43c358aee09bfe1
                                            • Instruction Fuzzy Hash: B331D4724097806FEB128F24DD45B96BFB8EF46310F08849AE9859F153C325A905CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0DAB Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E0E60
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: 7dec9ab31512fad837f4936a7fad7ba4a8e96b4567b5a05b2e018d6f40e1a940
                                            • Instruction ID: 6e92cd0dcea2736c6bf854f8c00cb96323a661757abfb4402564b633625bfbd0
                                            • Opcode Fuzzy Hash: 7dec9ab31512fad837f4936a7fad7ba4a8e96b4567b5a05b2e018d6f40e1a940
                                            • Instruction Fuzzy Hash: 6031A4715047805FEB22CF65CD45B96BFB8EF46310F0884AAE9849B152D374E908CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BAC79 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 030BAD34
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: c5ebd14c1dd272f89692d26d04302df4f779b8e8270cbf459d761d358094d43d
                                            • Instruction ID: 140a3a04b593b5a54393bd4c1f837b377591ffd3c1ccf51438166888de1d9ae6
                                            • Opcode Fuzzy Hash: c5ebd14c1dd272f89692d26d04302df4f779b8e8270cbf459d761d358094d43d
                                            • Instruction Fuzzy Hash: DE318F712093806FE722CB25CC85FA2BFFCEF06710F18849AE9859B153D264E548CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E1D2C Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: FileView
                                            • String ID:
                                            • API String ID: 3314676101-0
                                            • Opcode ID: 019fa58b699be565909e329fca8c5baba3ae795f1f322fe2177faa4e4cb78f70
                                            • Instruction ID: d9525c9bc7a55129bb32a2cb29e37c60abff0fabb098a2737f6ed55c2aa4366e
                                            • Opcode Fuzzy Hash: 019fa58b699be565909e329fca8c5baba3ae795f1f322fe2177faa4e4cb78f70
                                            • Instruction Fuzzy Hash: 9E31B372404780AFE722CF59DC45F96FFF8EF06320F04859AE9849B252D375A949CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E1996 Relevance: 1.6, APIs: 1, Instructions: 87registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E1A40
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: 4bbc5d353d335b85b1e5dccbc792d7c7f81585027544c6b7d2acc7607d3c24cb
                                            • Instruction ID: c154dfa32f7c8fd5b00cf5485f3bb9a085af8efa1776a13bbd7455fd9ca26776
                                            • Opcode Fuzzy Hash: 4bbc5d353d335b85b1e5dccbc792d7c7f81585027544c6b7d2acc7607d3c24cb
                                            • Instruction Fuzzy Hash: F231B1725087806FE722CB25CD45FA2BFB8EF46310F0884DAE9859B163D364E948CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E1FE1 Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateMutexW.KERNELBASE(?,?), ref: 061E2081
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID:
                                            • API String ID: 1964310414-0
                                            • Opcode ID: f6092af7b71ffd4056f761ae1c174269ebbdb96aa2d9feee8c98f67ac68422f2
                                            • Instruction ID: c928b52630d1d4d3f9669a0ecba2ffed586dc83340458fc8ba8328f5183bc025
                                            • Opcode Fuzzy Hash: f6092af7b71ffd4056f761ae1c174269ebbdb96aa2d9feee8c98f67ac68422f2
                                            • Instruction Fuzzy Hash: E03184B1505780AFE722CF25CD95B56FFE8EF05210F0884AAE984CB292D375E944CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E267E Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            • getaddrinfo.WS2_32(?,00000E2C), ref: 061E2723
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: getaddrinfo
                                            • String ID:
                                            • API String ID: 300660673-0
                                            • Opcode ID: 4e72c1d4eef57775d60a71a18aab9bdd8bc8a27b5ac52ce561462dbd8c19f6d5
                                            • Instruction ID: 3c85e2bf6ec20eeac94559d1f08d364f855055d34f5ad40d8f58493a472e074a
                                            • Opcode Fuzzy Hash: 4e72c1d4eef57775d60a71a18aab9bdd8bc8a27b5ac52ce561462dbd8c19f6d5
                                            • Instruction Fuzzy Hash: 9B21A171500204AFFB21DF68CD85FAAFBACEF04710F14895AEE459B182D675A6488BB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0CC2 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 061E0D56
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: 755769a46aca56d13e4d41ef2ca63b811e80ab36b288cfac51933e61f9a047dc
                                            • Instruction ID: f423431a0d4446208da222606c41d7ba6d12adadd3e4b5c3d25809fb6abe8700
                                            • Opcode Fuzzy Hash: 755769a46aca56d13e4d41ef2ca63b811e80ab36b288cfac51933e61f9a047dc
                                            • Instruction Fuzzy Hash: E821B1B14053446FE7228F64DC45F66FFACEF45310F08849AED849B152D264E908CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E23CA Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 061E2447
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: e21af1f08df7ee61b3114986ddc34328707e1a77f88ce0a25a460bf5b8ba2ea1
                                            • Instruction ID: 29ddfacafdbf43c1dfdde6f686f0e153ea9128cd5984a9c8af093627c0ea4b83
                                            • Opcode Fuzzy Hash: e21af1f08df7ee61b3114986ddc34328707e1a77f88ce0a25a460bf5b8ba2ea1
                                            • Instruction Fuzzy Hash: E221F172500204AFEB22CF69CD85F6AFBACEF04320F04886AED459B551D330E5488BB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E13EB Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 061E148E
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: 3229153a8b8d90f403a25b02d3fceddb0dd22f0c639fe00c9c8f2b8ba0efeaf3
                                            • Instruction ID: dd12f6991796cf99046508a3ecd471c46a72b23f1011dc22f776835ca84cd4b0
                                            • Opcode Fuzzy Hash: 3229153a8b8d90f403a25b02d3fceddb0dd22f0c639fe00c9c8f2b8ba0efeaf3
                                            • Instruction Fuzzy Hash: F321B2755093C06FD3138B258C51B62BFB4EF87610F0A81DBE8848B693D225A919C7B2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BA078 Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAStartup.WS2_32(?,00000E2C,?,?), ref: 030BA10E
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: Startup
                                            • String ID:
                                            • API String ID: 724789610-0
                                            • Opcode ID: 53b275ba4b5344cb6f652e00559d18e06c0ff5664050f737dafffe04b53a9d42
                                            • Instruction ID: f295b3b7b738c80b3d72035e1e5424907861d3947bdf85544b38d08ee79f8221
                                            • Opcode Fuzzy Hash: 53b275ba4b5344cb6f652e00559d18e06c0ff5664050f737dafffe04b53a9d42
                                            • Instruction Fuzzy Hash: FA21F37140D3C06FD312CB658C55B66BFB4EF87620F1985DFD9848B293D225A819CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E1C4A Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenFileMappingW.KERNELBASE(?,?), ref: 061E1CD5
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: FileMappingOpen
                                            • String ID:
                                            • API String ID: 1680863896-0
                                            • Opcode ID: 4e3f62463c53c0e8b8ef3a15c7555c20bcda692dcfcfc6997d82df33218587b5
                                            • Instruction ID: 3fc307a06ab3594937a97a2fbeffb9bfd5f8615e3d2dcce6f4151420d3778194
                                            • Opcode Fuzzy Hash: 4e3f62463c53c0e8b8ef3a15c7555c20bcda692dcfcfc6997d82df33218587b5
                                            • Instruction Fuzzy Hash: F02191715053806FE722CF25CC45F66FFA8EF45220F1884AEE9859B252D375E908CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0BF0 Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 061E0C96
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: Enum
                                            • String ID:
                                            • API String ID: 2928410991-0
                                            • Opcode ID: c79077b3852dde18fc828aa560334a56389ebed99425642c5bc390bfb7db6b28
                                            • Instruction ID: 2db01ed64e38c7d871aa2756a871e159d1933ddcc2a328e58c33d1b3af49519d
                                            • Opcode Fuzzy Hash: c79077b3852dde18fc828aa560334a56389ebed99425642c5bc390bfb7db6b28
                                            • Instruction Fuzzy Hash: 5F217F6550E3C06FC3138B358C55A25BFB4EF87A10F1D81DFD8848B6A3D225A919C7A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E077A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 061E07F9
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: ff346d4fb351d0fd2784bdd333e767d89572189e8998f630d836bfb2b293b816
                                            • Instruction ID: dc6f1883e931d5284c295849b1fbaeb458f0327749fadd175141db7e053d2bb1
                                            • Opcode Fuzzy Hash: ff346d4fb351d0fd2784bdd333e767d89572189e8998f630d836bfb2b293b816
                                            • Instruction Fuzzy Hash: 39219A71900644AFEB61DF69CD84B66FBE8EF08310F04886EE9899B652D371E414CBB5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E282E Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            • ioctlsocket.WS2_32(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E28B7
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: ioctlsocket
                                            • String ID:
                                            • API String ID: 3577187118-0
                                            • Opcode ID: bc90f343d82f176235538152833a868b098714e10f44be2d63025dd8bdc069fd
                                            • Instruction ID: c533e12faedda2656f1e3324a4334eb399003b32536b0fbcf201183b5ded6fec
                                            • Opcode Fuzzy Hash: bc90f343d82f176235538152833a868b098714e10f44be2d63025dd8bdc069fd
                                            • Instruction Fuzzy Hash: F821C1714093C46FE712CB648D85F96BFA8EF46310F0884EBE9849F152C274A508C7B2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0920 Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNELBASE(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E09B1
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: f15fea4c3967a6c54c5c391b0f925c7996c92e4f1ac63a081671552a6b0580e4
                                            • Instruction ID: 4a54e7ca852e9144f04e380245a9490b54c91389b8aab939012ee30c451bcdc7
                                            • Opcode Fuzzy Hash: f15fea4c3967a6c54c5c391b0f925c7996c92e4f1ac63a081671552a6b0580e4
                                            • Instruction Fuzzy Hash: 9221B271409380AFE7228F24DD45F66BFB8EF46314F08849BE9849B153C264A809CB72
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BABB2 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 030BAC31
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: a9193545d29851b44adf4fffeca3de1cd06569183c2d17549252dca4d98bb956
                                            • Instruction ID: cb123e595573ff210bb7ac710a5b25552550bbd96947578dc73dca9cb517caf9
                                            • Opcode Fuzzy Hash: a9193545d29851b44adf4fffeca3de1cd06569183c2d17549252dca4d98bb956
                                            • Instruction Fuzzy Hash: EC21C372500204AFE721DF69DD85FABFBECEF08710F04895AED459B242D664E9088BB5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0006 Relevance: 1.6, APIs: 1, Instructions: 73libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNELBASE(?,00000E2C), ref: 061E009B
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 928a37132a4e8eacf1229de8c903937b06aafb1ce6af6985f57fc69d1136449c
                                            • Instruction ID: 317caa9353f88ef4044d589c458d1c896357bf2dab30e0de671fa2b435f7dff2
                                            • Opcode Fuzzy Hash: 928a37132a4e8eacf1229de8c903937b06aafb1ce6af6985f57fc69d1136449c
                                            • Instruction Fuzzy Hash: 1A21A7714057806FE7228F24DD45FA6BFA8EF46320F14809AE9449F192D2A9A948CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E2BC8 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetAdaptersAddresses.IPHLPAPI(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E2C5D
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: AdaptersAddresses
                                            • String ID:
                                            • API String ID: 2506852604-0
                                            • Opcode ID: b0e913012d7eb72fe7d311ebdcee250687c04210edf0bbcece6df54c8b644ed2
                                            • Instruction ID: 6e9d4272cd1eae6060474bb56dfcb9827a37159d1a4227a9cd906a2164566c5b
                                            • Opcode Fuzzy Hash: b0e913012d7eb72fe7d311ebdcee250687c04210edf0bbcece6df54c8b644ed2
                                            • Instruction Fuzzy Hash: 7C21D6714087806FEB228B15DD45FA6FFB8EF06310F09849AE9845B153C375A508CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E2AFA Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAEventSelect.WS2_32(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E2B7E
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: EventSelect
                                            • String ID:
                                            • API String ID: 31538577-0
                                            • Opcode ID: 496281c9499b3ef417146f56b0623e6755442cd3904d635cc2278f607b40c7a6
                                            • Instruction ID: f96676f759363795c919affade2b0d397e2e6702718b1a6a895827eb52dc16fa
                                            • Opcode Fuzzy Hash: 496281c9499b3ef417146f56b0623e6755442cd3904d635cc2278f607b40c7a6
                                            • Instruction Fuzzy Hash: 8921B3714043846FE722CF65DD85F97BFACEF45310F0884ABE944AB152D234A508CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0CE2 Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 061E0D56
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID:
                                            • API String ID: 71445658-0
                                            • Opcode ID: dc62fccc6f6a4d771a584f25119f1736c043eea3d6e7d656fb5afa76cc368eab
                                            • Instruction ID: 48dc9d7455844dd9101775b5967a7d1580bcd6d442c5851d58abfad1352f264e
                                            • Opcode Fuzzy Hash: dc62fccc6f6a4d771a584f25119f1736c043eea3d6e7d656fb5afa76cc368eab
                                            • Instruction Fuzzy Hash: 1A21D175500604AFEB219F58DD45F6AFBACFF04310F04886AED449B242D374E5148BB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E200E Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateMutexW.KERNELBASE(?,?), ref: 061E2081
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID:
                                            • API String ID: 1964310414-0
                                            • Opcode ID: 0a79c980a25075b43a17cd95e9cb86ff71940cf7d3c853bffb791cfee9c23c45
                                            • Instruction ID: 58b2cedebb8b3593c4686d551f87db73d842f09108db2b75489d3f03c9f05430
                                            • Opcode Fuzzy Hash: 0a79c980a25075b43a17cd95e9cb86ff71940cf7d3c853bffb791cfee9c23c45
                                            • Instruction Fuzzy Hash: 4F219A71500640AFE721DF29C995B66FBECEF04310F18846AED88CB282D771E644CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E293A Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAIoctl.WS2_32(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E29B5
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: Ioctl
                                            • String ID:
                                            • API String ID: 3041054344-0
                                            • Opcode ID: 8552a169c1d7b7e497f2d5e286d76b69c6fa0b6b33d9e295c8afe2d3a7bbc3a4
                                            • Instruction ID: f17dad1096b60df8fec4779182a9e1a83ffea91e5d3585b7bd8d12d72b06c57f
                                            • Opcode Fuzzy Hash: 8552a169c1d7b7e497f2d5e286d76b69c6fa0b6b33d9e295c8afe2d3a7bbc3a4
                                            • Instruction Fuzzy Hash: 3C216A71500604AFEB618F55CD84F66BBECEF08720F18896AED859B651D331E544CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BAF97 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 030BB012
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 3a7285059a7ccaa0675a572a8349691e39fd381007ee434de579d3b30a31855e
                                            • Instruction ID: bc0d061915fc5cc66ca785a8b6b3dfae39795ca8d594157fbec91606f6c315a8
                                            • Opcode Fuzzy Hash: 3a7285059a7ccaa0675a572a8349691e39fd381007ee434de579d3b30a31855e
                                            • Instruction Fuzzy Hash: 842183725093C05FD752CB65DC95B96BFF8EF16210F0D84EAE984CB253D225D848CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0860 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileType.KERNELBASE(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E08E5
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID:
                                            • API String ID: 3081899298-0
                                            • Opcode ID: 16427b4ddd8382fd0f9a5d31c40c9c0ea6258ab24190a10f661e2973045c06ca
                                            • Instruction ID: f6702610d35ad3f98f33568f7ae9f5fbb792d3b53596d7c0bdbb415ba9541164
                                            • Opcode Fuzzy Hash: 16427b4ddd8382fd0f9a5d31c40c9c0ea6258ab24190a10f661e2973045c06ca
                                            • Instruction Fuzzy Hash: 0A21D5715087846FE7128B259D55BA3BFACEF46720F0884DAED859B253C264A908C7B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E2C9A Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 061E2D1E
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: Connect
                                            • String ID:
                                            • API String ID: 3144859779-0
                                            • Opcode ID: 81e7eff448a5dd709df522fe591e888697630ad19988b6fc90f3d89782f12ea2
                                            • Instruction ID: 5d708e75977b56c7196bd8908d46c990491fd8bdd33b0085c828131cb425ce11
                                            • Opcode Fuzzy Hash: 81e7eff448a5dd709df522fe591e888697630ad19988b6fc90f3d89782f12ea2
                                            • Instruction Fuzzy Hash: CD21AE754097809FDB228F60C884A92BFB4FF0A320F0984DEE9848B163D375A909CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0DEE Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E0E60
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: 77849044d76c3722467f7c04e7476ac0fc7888065c64d9424e81e8e6d613b6df
                                            • Instruction ID: cc88151ce5e7ce459f2518a388e049ca64657a5c9aa5c103b9985a56c44debb5
                                            • Opcode Fuzzy Hash: 77849044d76c3722467f7c04e7476ac0fc7888065c64d9424e81e8e6d613b6df
                                            • Instruction Fuzzy Hash: 5F21C071500A00AFEB21CF55DD85F66BBECEF08711F0888AAED459B242D374E414CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BACBA Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 030BAD34
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: 35436817ec357fba2792a0192e3c13054ce497427c304906c9a68cf942af09dc
                                            • Instruction ID: e42d5339872bbd2c3eee82a60c3d250620ed7fef7357fe432259e6c296526ec3
                                            • Opcode Fuzzy Hash: 35436817ec357fba2792a0192e3c13054ce497427c304906c9a68cf942af09dc
                                            • Instruction Fuzzy Hash: 02218E75600204AFE721CF19CD85FA6FBECEF04711F08846AED469B252D760E548CAB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BA140 Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: send
                                            • String ID:
                                            • API String ID: 2809346765-0
                                            • Opcode ID: bd017aeed2fde42fac1b5a36cf74d64a4ad5f15b68a08b0e0620f12f95721091
                                            • Instruction ID: e15fd6d38548affb352853c8591249a34db64b96aed82bc926860b2b5bb591b5
                                            • Opcode Fuzzy Hash: bd017aeed2fde42fac1b5a36cf74d64a4ad5f15b68a08b0e0620f12f95721091
                                            • Instruction Fuzzy Hash: 1D215C7140E3C09FD7238B658C54A52BFB4EF47220F0A85DBD9848F163D269A858CB72
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E1777 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • setsockopt.WS2_32(?,?,?,?,?), ref: 061E17F4
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: setsockopt
                                            • String ID:
                                            • API String ID: 3981526788-0
                                            • Opcode ID: 8bf06207a680b6caff462c1560b81126fa98ec59d00c29fd4f1aa2c1c82d5b28
                                            • Instruction ID: 21f3a812105ab2a2fa2fe0f0e4123cff880193d30e603edd85862cf6da74f25a
                                            • Opcode Fuzzy Hash: 8bf06207a680b6caff462c1560b81126fa98ec59d00c29fd4f1aa2c1c82d5b28
                                            • Instruction Fuzzy Hash: 7821AC324093C0AFDB128F61D840A92BFB4EF07320F1985DAD9848F163C335A849CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E1C6A Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenFileMappingW.KERNELBASE(?,?), ref: 061E1CD5
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: FileMappingOpen
                                            • String ID:
                                            • API String ID: 1680863896-0
                                            • Opcode ID: 30a158b70acf8801840a235d3ed035e834abc13a343edda2a927e980b1d89c7b
                                            • Instruction ID: c51a53d73cadfa66c5535952ca3c3cbbb38d4ef149b3ef9b58ef5db317b09c54
                                            • Opcode Fuzzy Hash: 30a158b70acf8801840a235d3ed035e834abc13a343edda2a927e980b1d89c7b
                                            • Instruction Fuzzy Hash: 7021AE71600640AFE721DF29CD89B66FBE8EF04320F14846AED858B242D375E904CB76
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BB27C Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 030BB2E8
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: d3a06ca073ceb4cba433e8d3589e6bc0fcfa6bf9236487946fe3a4df5be69184
                                            • Instruction ID: 27f399370ede1641fbf9b1b0bba83732a1f1bca6982a6e3704dd0df85f139f97
                                            • Opcode Fuzzy Hash: d3a06ca073ceb4cba433e8d3589e6bc0fcfa6bf9236487946fe3a4df5be69184
                                            • Instruction Fuzzy Hash: C121A17250A3C05FDB12CB25DC54792BFB4AF47624F0D84DAEC858F663D2659908CB72
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E1D6A Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: FileView
                                            • String ID:
                                            • API String ID: 3314676101-0
                                            • Opcode ID: 352fa53168e0cb86ec50891edf90c0516c268466f87b444fed72adb3851794eb
                                            • Instruction ID: 472d34ee14db3bd4f2c1839a79c910653ea50e5de40b619cabfe2a4047e29740
                                            • Opcode Fuzzy Hash: 352fa53168e0cb86ec50891edf90c0516c268466f87b444fed72adb3851794eb
                                            • Instruction Fuzzy Hash: 5321C071500644AFE722DF59CD89FA6FBE8EF08320F04845EE9859B641D375E548CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E16B2 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSASocketW.WS2_32(?,?,?,?,?), ref: 061E171E
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: Socket
                                            • String ID:
                                            • API String ID: 38366605-0
                                            • Opcode ID: 7a804d4f487eba909e69c6f44bc10ebc4241d1e85f5c23c196898b4be9a9e952
                                            • Instruction ID: c52fe922ee4f9724c408658afa91797da54029416e42d2fd4facab57c2679700
                                            • Opcode Fuzzy Hash: 7a804d4f487eba909e69c6f44bc10ebc4241d1e85f5c23c196898b4be9a9e952
                                            • Instruction Fuzzy Hash: C821D171500640AFEB22DF69DE45B66FBE8EF04710F04886EED858B652C371A404CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BADA3 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                            • MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 030BAE26
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: DisplayNameParse
                                            • String ID:
                                            • API String ID: 3580041360-0
                                            • Opcode ID: 48182942c1a57d98aa4589052b0ecb84afa631908630986b9d982034fbcf74f4
                                            • Instruction ID: 5d83dcc9c6f00204e998d623fc08a89f723846313640442b3e1152afa89d025e
                                            • Opcode Fuzzy Hash: 48182942c1a57d98aa4589052b0ecb84afa631908630986b9d982034fbcf74f4
                                            • Instruction Fuzzy Hash: 8E11B4715053806FD312CB29DC41F72BFB8FF86710F09819AEC848B652D221B915CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BAEE3 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 030BAF50
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: 84207193cef8a08fa52d019fedb41b74c2d0d0c9668936a750ceabd49a04e70e
                                            • Instruction ID: 5024e70d489e1e3279c3848d14c9584f150b91510c22883da8884c453980e0e8
                                            • Opcode Fuzzy Hash: 84207193cef8a08fa52d019fedb41b74c2d0d0c9668936a750ceabd49a04e70e
                                            • Instruction Fuzzy Hash: B22190B550A3C09FEB138B65DC91792BFB8EF47220F0984DBEC848F653D2659948CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E19CE Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E1A40
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: d58009ef85b23b7aadc93c226ee9bc1facc68a991578dcb0c166043fc06c57d0
                                            • Instruction ID: 8e1b03818bb38e2b47dc94ec2436b91e07961be593bfe94549f28ac9a4658323
                                            • Opcode Fuzzy Hash: d58009ef85b23b7aadc93c226ee9bc1facc68a991578dcb0c166043fc06c57d0
                                            • Instruction Fuzzy Hash: 5B11AF72540640AFEB21CE15CD85FA6FBE8EF44710F04846AED459B252D370E508CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E14B8 Relevance: 1.6, APIs: 1, Instructions: 64networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetNetworkParams.IPHLPAPI(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E1530
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: NetworkParams
                                            • String ID:
                                            • API String ID: 2134775280-0
                                            • Opcode ID: 8c46bef834faa695c211290385dc96aebc60e491b0caebb615b7ad4bf563ab17
                                            • Instruction ID: 86bdf101621c5ec192715131a19f5aadf588a8354811c361f51f2d967ad69b4c
                                            • Opcode Fuzzy Hash: 8c46bef834faa695c211290385dc96aebc60e491b0caebb615b7ad4bf563ab17
                                            • Instruction Fuzzy Hash: 8111D6714043846FE722CB15DD45F66FFA8EF46320F08849AED449B152C264A948CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E22DE Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessTimes.KERNELBASE(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E233D
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: ProcessTimes
                                            • String ID:
                                            • API String ID: 1995159646-0
                                            • Opcode ID: 074cf56ea78f1a317c556abfd9c6206a7ce28db296e96c2476720b26fbe3e14c
                                            • Instruction ID: 6a7cc4f78b29d4a2bc1a13d6ce684f1fa6334972f68a4cb87a6b33fe0beb9026
                                            • Opcode Fuzzy Hash: 074cf56ea78f1a317c556abfd9c6206a7ce28db296e96c2476720b26fbe3e14c
                                            • Instruction Fuzzy Hash: 4A119071500640AFEB22CF65DE85B6AFBACEF48320F14886AED459B251D374E5048FB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E2B1A Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAEventSelect.WS2_32(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E2B7E
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: EventSelect
                                            • String ID:
                                            • API String ID: 31538577-0
                                            • Opcode ID: c66a8a324ba51faba92266ef9797606786f9c665cc1724788a9800ae91bf162a
                                            • Instruction ID: 15dcb85aa012685ad2a82b6b6a018f17cbe1c7058de2d17eecb213ac533b5220
                                            • Opcode Fuzzy Hash: c66a8a324ba51faba92266ef9797606786f9c665cc1724788a9800ae91bf162a
                                            • Instruction Fuzzy Hash: BD11B271800204AFEB22DF55DE89FAAFB9CEF44320F14C86AED45AB241D774E5048BB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BAAC7 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030BAB32
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: f0524959c4fb40d85bf70d01160ecdfd6878343010fe40c81ffd0639189d4591
                                            • Instruction ID: a3f525a21ace57029cd18a053170040a17b191bdc8697188627f35c7a48b4383
                                            • Opcode Fuzzy Hash: f0524959c4fb40d85bf70d01160ecdfd6878343010fe40c81ffd0639189d4591
                                            • Instruction Fuzzy Hash: C8117271409780AFDB228F55DC44A62FFF8EF4A220F0885DAED858B563C275A518DB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0952 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNELBASE(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E09B1
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: eee38c3ca15a67f890a2c9479a527c160d738d0cb00bcad5f3bee45a74c6619c
                                            • Instruction ID: efc29f87f935616af89d07dcd16af00ec34c092270a57b4b477c7025d7d44cc5
                                            • Opcode Fuzzy Hash: eee38c3ca15a67f890a2c9479a527c160d738d0cb00bcad5f3bee45a74c6619c
                                            • Instruction Fuzzy Hash: 0E11C871400600AFFB22CF55DE45F66FBA8EF48311F14846AED499B252C374A454CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E119D Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?), ref: 061E11FC
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: e41bb8d4aed380ffabf2bed3a43d98cc1679ba871de8c115e0b813cb94a7b8f0
                                            • Instruction ID: 5646bf907594bb944a092c40b81d0f8d4fdc2829128b5acacb293633d3ff35ac
                                            • Opcode Fuzzy Hash: e41bb8d4aed380ffabf2bed3a43d98cc1679ba871de8c115e0b813cb94a7b8f0
                                            • Instruction Fuzzy Hash: EC1181715093C09FD7128F65DC45692BFB4EF47220F0984EBDD858F263C275A948CB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E285E Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                            • ioctlsocket.WS2_32(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E28B7
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: ioctlsocket
                                            • String ID:
                                            • API String ID: 3577187118-0
                                            • Opcode ID: 8205400314a83d98a0adbb7db5d4c3b323d996d2c08753a9d6b4c48ea4afbf2b
                                            • Instruction ID: 7ae312c5aa1362e8bdd0338780949b55d1830b528d0a10db6c10773ced43a923
                                            • Opcode Fuzzy Hash: 8205400314a83d98a0adbb7db5d4c3b323d996d2c08753a9d6b4c48ea4afbf2b
                                            • Instruction Fuzzy Hash: 9011E371400244AFFB22CF54DE85F66FBDCEF44320F14846AEE459B242C374A5448BB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E2116 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • shutdown.WS2_32(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E216C
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: shutdown
                                            • String ID:
                                            • API String ID: 2510479042-0
                                            • Opcode ID: 27d4a4b3a80b4675faf0c71b944a0584e16e6f8ada5e69f57989a4a92a6cb378
                                            • Instruction ID: 8669b6fab42ae0826e77a9ee27a4662c82066851e001a2b0956e9a999900ef64
                                            • Opcode Fuzzy Hash: 27d4a4b3a80b4675faf0c71b944a0584e16e6f8ada5e69f57989a4a92a6cb378
                                            • Instruction Fuzzy Hash: 2111C671400644AFFB11DF55DE85B66FBACEF44320F1484AAEE449B241D375A6048BB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E09FB Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: CloseFind
                                            • String ID:
                                            • API String ID: 1863332320-0
                                            • Opcode ID: f2f0ed51dd3be178702828b8103bc9420c7eb6d4a42eb2d698234b6937a499b4
                                            • Instruction ID: de7007aa647c628b8b1f1f841eb23dbfd0c5f3942e038461a3d4717858c17a48
                                            • Opcode Fuzzy Hash: f2f0ed51dd3be178702828b8103bc9420c7eb6d4a42eb2d698234b6937a499b4
                                            • Instruction Fuzzy Hash: A91100755097C05FDB12CB24DC45B92BFA4EF06320F0D80EAEC848F263C364A848CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0032 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryA.KERNELBASE(?,00000E2C), ref: 061E009B
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 179aa6ac7e9793906a2539ba3ca7c89a34605e763e82753411862d18290ccd51
                                            • Instruction ID: a11472e0e4e03fc45642c1f3d895ca10d9a5977238c810d218c0dfae69312e54
                                            • Opcode Fuzzy Hash: 179aa6ac7e9793906a2539ba3ca7c89a34605e763e82753411862d18290ccd51
                                            • Instruction Fuzzy Hash: 57112531500600AFF721DF19DD85B76FB98EF48721F14849AED44AB282C3B5A5488BB6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E2BFE Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetAdaptersAddresses.IPHLPAPI(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E2C5D
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: AdaptersAddresses
                                            • String ID:
                                            • API String ID: 2506852604-0
                                            • Opcode ID: 6ac8cc2eaaf6ad77ca82ce86bdb937a2599f23e297a9c0769e3c496f2e460cc4
                                            • Instruction ID: 6d1116a5dbf323589ad4974e1acd4ddf737b363b9680edf66d78553b50e70a4a
                                            • Opcode Fuzzy Hash: 6ac8cc2eaaf6ad77ca82ce86bdb937a2599f23e297a9c0769e3c496f2e460cc4
                                            • Instruction Fuzzy Hash: 9E11E571500700AFEB228F15DE85F66FBACEF04720F14846AED455B652D375E648CBB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BA20C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(?), ref: 030BA26C
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: 87a01e3c374629f4fd9079b4c7059002b18622dc8de5124b2e55419180416c75
                                            • Instruction ID: 34f14d7a57d045dbd9e00a5ac7d07bcdce18efaee70bce6003b56b63d7b4c784
                                            • Opcode Fuzzy Hash: 87a01e3c374629f4fd9079b4c7059002b18622dc8de5124b2e55419180416c75
                                            • Instruction Fuzzy Hash: D31191714093C09FDB128B25DC54AA2FFB8EF47624F0880DAEDC44F253D26A6818DB72
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BA787 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: closesocket
                                            • String ID:
                                            • API String ID: 2781271927-0
                                            • Opcode ID: d0766e212144313eca89eaaabbbb245f326c6d8c0fc01d0f019142aa90689fc0
                                            • Instruction ID: 43601cec2342d36458689721c63b77df1bd9274a3b669ceeb8ad49eafa6cac17
                                            • Opcode Fuzzy Hash: d0766e212144313eca89eaaabbbb245f326c6d8c0fc01d0f019142aa90689fc0
                                            • Instruction Fuzzy Hash: E3118B714493849FDB12CB14DC84B52BFB4EF46220F1884DBED849F293D279A809CBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E14DA Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetNetworkParams.IPHLPAPI(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E1530
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: NetworkParams
                                            • String ID:
                                            • API String ID: 2134775280-0
                                            • Opcode ID: 6f7f28fd709f851d1d212e767012d7005fa916e7503b55a492a3f1ea83894901
                                            • Instruction ID: 6a18dc2122e67546e31112db8381f0b64eb99900107d19f1c31a716ec902f431
                                            • Opcode Fuzzy Hash: 6f7f28fd709f851d1d212e767012d7005fa916e7503b55a492a3f1ea83894901
                                            • Instruction Fuzzy Hash: DE012B71400600AFEB11DF15DE85BA6FB9CEF05720F14849AED459B241D374E504CBB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BAFCA Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 030BB012
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: fdc330c934b14f869e83f0aca6f03e0851ed9c10ae8ac33a2d18a5b0989b9522
                                            • Instruction ID: 304b45f5860cb3a77258f9651f797902698d041cb727e042dd64ceb6928eba1f
                                            • Opcode Fuzzy Hash: fdc330c934b14f869e83f0aca6f03e0851ed9c10ae8ac33a2d18a5b0989b9522
                                            • Instruction Fuzzy Hash: 6F11E1716052408FEB60DF29DC857A6FBE8EF04220F08C4AAED49CB702D271E408CB72
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0892 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileType.KERNELBASE(?,00000E2C,4E62F021,00000000,00000000,00000000,00000000), ref: 061E08E5
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: FileType
                                            • String ID:
                                            • API String ID: 3081899298-0
                                            • Opcode ID: 1c377ecc5bb8349f826958e48f312329cd65e0b0c57cd9cd7e43255e297da768
                                            • Instruction ID: 250c0caa78e2051848a2a5e0b37abfd78096c4d55f97637c02067dc23e56f7e7
                                            • Opcode Fuzzy Hash: 1c377ecc5bb8349f826958e48f312329cd65e0b0c57cd9cd7e43255e297da768
                                            • Instruction Fuzzy Hash: 96012631500644AEF721DF15DE85F66FB9CDF08321F14849AED44AB242C3B4E9048BB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E2CD2 Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 061E2D1E
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: Connect
                                            • String ID:
                                            • API String ID: 3144859779-0
                                            • Opcode ID: 1cd8b9fe6dd581a3cd2ecb5c34828d4a2dac79ce9bc088355b03326466385dae
                                            • Instruction ID: fa367b76e756d198d38f5b499820d92a6e186bd5b248a614788daca5f437a8a0
                                            • Opcode Fuzzy Hash: 1cd8b9fe6dd581a3cd2ecb5c34828d4a2dac79ce9bc088355b03326466385dae
                                            • Instruction Fuzzy Hash: 3F1170355006449FEB21CF55D944B52FBE8FF48320F1888AADE498B622D375E518CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BA0BE Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WSAStartup.WS2_32(?,00000E2C,?,?), ref: 030BA10E
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: Startup
                                            • String ID:
                                            • API String ID: 724789610-0
                                            • Opcode ID: d1ddfb30645cac2f9b64f718dc32b2a8cbf568187b21ce8e0f1631afa9f54e34
                                            • Instruction ID: f73932ad9392c55a3816a41146f4e7de0fd91147d6600b6e233caccf0ed2aa62
                                            • Opcode Fuzzy Hash: d1ddfb30645cac2f9b64f718dc32b2a8cbf568187b21ce8e0f1631afa9f54e34
                                            • Instruction Fuzzy Hash: 9401B171500200ABD710DF1ADC81B26FBA8FB88B20F14C16AED089B741D631B915CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BAAEE Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030BAB32
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: cb31e79961b83d1f74d758c1695bce504aa10b775ed96c4011c45374e3bd9809
                                            • Instruction ID: b8cd6f499d55062e90d008cdf6ca756ef40ad6647a8e1a3ff31ad6d1f0998434
                                            • Opcode Fuzzy Hash: cb31e79961b83d1f74d758c1695bce504aa10b775ed96c4011c45374e3bd9809
                                            • Instruction Fuzzy Hash: 5B016D315017409FDB21CF95D984B56FFF5EF48720F08C9AAEE894B652C276A418CF62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E143E Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 061E148E
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID:
                                            • API String ID: 3660427363-0
                                            • Opcode ID: 9abaa3ad650340af3d744e8a9c16543f64ac2a803b3edae7bbe4330d824c0310
                                            • Instruction ID: e9a9523faec06d7dc359011be218b81fe5f262ea1ef8437fbf9c7af795aa3f32
                                            • Opcode Fuzzy Hash: 9abaa3ad650340af3d744e8a9c16543f64ac2a803b3edae7bbe4330d824c0310
                                            • Instruction Fuzzy Hash: 6B018F75500204ABD250DF1ADC82B26FBA8FB88B20F14C11AED085B741D671B915CAA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0C46 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegEnumKeyExW.KERNELBASE(?,00000E2C,?,?), ref: 061E0C96
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: Enum
                                            • String ID:
                                            • API String ID: 2928410991-0
                                            • Opcode ID: 376b623372de63decb2c8b858fb321c8184c1172172bc86d3753373995bffa07
                                            • Instruction ID: 683ab8f2bdde559def79e30766d171a80f97211f058e803bd1d9f54e0e6fc9d0
                                            • Opcode Fuzzy Hash: 376b623372de63decb2c8b858fb321c8184c1172172bc86d3753373995bffa07
                                            • Instruction Fuzzy Hash: B4018F75500204ABD250DF1ADC82B26FBA8FB88B20F14C11AED085B741D631B915CBE5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E17B6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • setsockopt.WS2_32(?,?,?,?,?), ref: 061E17F4
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: setsockopt
                                            • String ID:
                                            • API String ID: 3981526788-0
                                            • Opcode ID: 20eb4e72249c77985e8eed4e1fa9a629f151f54d675e8e74ba4fccbf700ed7c2
                                            • Instruction ID: f195a1e145393427f26f6a073fec80948907469f866f82e8b796ed9d8e3f4e57
                                            • Opcode Fuzzy Hash: 20eb4e72249c77985e8eed4e1fa9a629f151f54d675e8e74ba4fccbf700ed7c2
                                            • Instruction Fuzzy Hash: 77018031800640AFEB21CF55D945B55FFE4EF44720F08C8AADD494B612D375E418DFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E11CA Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNELBASE(?), ref: 061E11FC
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: 24eaf3c4645e6f3bce12bb9073d6267ac87bbc80a7ebf18450db5d9e7f5281f1
                                            • Instruction ID: 910f07e7c07aef2bbfc395154303ca0cbc3794e527658191842c096cc8b25bc4
                                            • Opcode Fuzzy Hash: 24eaf3c4645e6f3bce12bb9073d6267ac87bbc80a7ebf18450db5d9e7f5281f1
                                            • Instruction Fuzzy Hash: 0501DF759006419FEB51CF69DD85766FBA4EF44220F18C4AADD49CF602D374E448CFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BAF1E Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 030BAF50
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: 6d46b7f01288799b8826bc3431af61a90a64dabe7ef31c5e05724c5fb495cc74
                                            • Instruction ID: 9e9afa8dcbff52a56b1ffe63a21c8da0f7c0c81f5ad0eb6ec2a318f4468a133e
                                            • Opcode Fuzzy Hash: 6d46b7f01288799b8826bc3431af61a90a64dabe7ef31c5e05724c5fb495cc74
                                            • Instruction Fuzzy Hash: 5901DFB16012419FDB11CF59D9857AAFBE8EF44220F08C4ABDD498F602D274E408CFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BB2B6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 030BB2E8
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: a8a10d9d8cf4feac83461a92b6f9c3982ddb78d87c037fa8ea36321cfd9244d3
                                            • Instruction ID: 0aa9c619681935f1bd5507db6c923a1fd77fc5cc4780d8efaded32928cfbc558
                                            • Opcode Fuzzy Hash: a8a10d9d8cf4feac83461a92b6f9c3982ddb78d87c037fa8ea36321cfd9244d3
                                            • Instruction Fuzzy Hash: 3C01F7315052408FDB51CF19D9847A6FBE8EF44720F08C4AADD498F602D274E408CFB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BADD6 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • MkParseDisplayName.OLE32(?,00000E2C,?,?), ref: 030BAE26
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: DisplayNameParse
                                            • String ID:
                                            • API String ID: 3580041360-0
                                            • Opcode ID: f73e5ddfd106f55e74a03ebdcfa6283276a1d2ac634ca6e001acc50d47c7ec6d
                                            • Instruction ID: 0e03cf9b6e3cc75cb4ab29eb6da11ffb8e2395b56e3c334c4480409c7a1718dc
                                            • Opcode Fuzzy Hash: f73e5ddfd106f55e74a03ebdcfa6283276a1d2ac634ca6e001acc50d47c7ec6d
                                            • Instruction Fuzzy Hash: 9B01A275500200ABD250DF1ADC82F26FBE8FB88B20F14C11AED085B741D631F915CBE5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BA186 Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: send
                                            • String ID:
                                            • API String ID: 2809346765-0
                                            • Opcode ID: 64b365e3ccac232088c17ae793bd70bff354366f7bce413f60a3da66ebe315d4
                                            • Instruction ID: b5cd4400a4efb5590a7a2c717d85760d7482f365d940ad9030a3baf16fddc99f
                                            • Opcode Fuzzy Hash: 64b365e3ccac232088c17ae793bd70bff354366f7bce413f60a3da66ebe315d4
                                            • Instruction Fuzzy Hash: D40171315052809FDB61CF59D984B96FFE4FF44320F08C8AADD894B612D275A458CFB2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 061E0A36 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560675924.00000000061E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_61e0000_O.jbxd
                                            Similarity
                                            • API ID: CloseFind
                                            • String ID:
                                            • API String ID: 1863332320-0
                                            • Opcode ID: d9f99084b40f28f8ac95c850e775598a4920c5e4fbb2746abd22916d19c3aee7
                                            • Instruction ID: 7f6c501083c437619fcb7a4ebce163e37f895acc9355d27c6781073fe292fef7
                                            • Opcode Fuzzy Hash: d9f99084b40f28f8ac95c850e775598a4920c5e4fbb2746abd22916d19c3aee7
                                            • Instruction Fuzzy Hash: A101D6359006448FDB518F15D984765FF94DF48321F08C4AEDD454B752D3B5E458CFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BA7B6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: closesocket
                                            • String ID:
                                            • API String ID: 2781271927-0
                                            • Opcode ID: 8493f901b6a1927e1d15a882a86f99234eb042444ef2441df4fc09ff572f0774
                                            • Instruction ID: 2c43b97407a4da0976235e77574fd1d1eec62338ea8c8e289bd31be3a9c8a191
                                            • Opcode Fuzzy Hash: 8493f901b6a1927e1d15a882a86f99234eb042444ef2441df4fc09ff572f0774
                                            • Instruction Fuzzy Hash: 8501A2309052409FDB11CF15D984795FBE8EF44320F18C4AADD489F602D275A408CFA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030BA23A Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(?), ref: 030BA26C
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559357444.00000000030BA000.00000040.00000800.00020000.00000000.sdmp, Offset: 030BA000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30ba000_O.jbxd
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: b2032083d4e49def8ce7aa5d1d9994be8138e79ba29e9751840dc35cf62841c1
                                            • Instruction ID: 95d95c9d361f030b826cc7facc3b963652f885979b679910c0a2d02bdef1ea7d
                                            • Opcode Fuzzy Hash: b2032083d4e49def8ce7aa5d1d9994be8138e79ba29e9751840dc35cf62841c1
                                            • Instruction Fuzzy Hash: B3F0AF349052408FDB21CF09D9887A5FFE4EF04721F08C4AADD894B712D27AA958CEA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BEAF8 Relevance: .1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10dcefbf3d58290a5520357ce4fa4549cd8bcba43900ead613892970de34480e
                                            • Instruction ID: 061872063d3b00a29fb391dde032703e92ce2b859cef40fb0d800d55aed9ead9
                                            • Opcode Fuzzy Hash: 10dcefbf3d58290a5520357ce4fa4549cd8bcba43900ead613892970de34480e
                                            • Instruction Fuzzy Hash: D731A630B10128CFFB14DBB9C2646EE7AFEAB89604F10483AD507EB350EE749C458B95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BEAEB Relevance: .1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f4f0dc57dfc8da53f11096a41166da56c0ff1edc107e6e20dc1a3924c5f7c388
                                            • Instruction ID: 7fcfd3bec35adeafdf171e66c6b363ad999c3ce653235e1b8abf2003d9c6ed27
                                            • Opcode Fuzzy Hash: f4f0dc57dfc8da53f11096a41166da56c0ff1edc107e6e20dc1a3924c5f7c388
                                            • Instruction Fuzzy Hash: 3731A131B10124CFFB14DBB9C6646ED7BFEAB89204F10486AD503EB350EA749C45CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BE760 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a18ef1390f6178044b8e556a9bc597a0261e3471ec888b4bfb1f91df2f542e96
                                            • Instruction ID: 539c2608036536b36a65185e7dcc850174be3bc19395a3f0de9e4601bb476e3c
                                            • Opcode Fuzzy Hash: a18ef1390f6178044b8e556a9bc597a0261e3471ec888b4bfb1f91df2f542e96
                                            • Instruction Fuzzy Hash: C8313A75F102189BEB44DBB8D654ADDBBFAAB89300F10846AD505E7384EB399D018BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BE37C Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b1751942f0f53ca3015302f923665972616f1139fc53e5864e6569fee8baaa92
                                            • Instruction ID: 3cd6bab2e10fcb0f1b80e777f93f5d9aecc872d4e2a5a83a3933dbb35ec2b1af
                                            • Opcode Fuzzy Hash: b1751942f0f53ca3015302f923665972616f1139fc53e5864e6569fee8baaa92
                                            • Instruction Fuzzy Hash: 7C21F4347202088BD708EB79D6941ADBBBBEBC0300F94896ED0079F294DF798C46CB81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06202D06 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560693928.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6200000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c8911056187705ec7935e40a769b2426485aad01ce9412b1ae3e5c0043c9fc32
                                            • Instruction ID: 610b83e9ddb0a760249c75fcbfd51452e5872fe488b7ef485d032b2aa5a15db7
                                            • Opcode Fuzzy Hash: c8911056187705ec7935e40a769b2426485aad01ce9412b1ae3e5c0043c9fc32
                                            • Instruction Fuzzy Hash: F621B4B5508341AFD341CF59D881A5BFBE4FB89660F04896EF88897312E275E9148FA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03210BFC Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559658721.0000000003210000.00000040.00000020.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_3210000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3a1234f2d6c257899c50f3031d53496fd5f1452c327c5530fc70863e4cc8c7f5
                                            • Instruction ID: 342257a13c2bcd75ed85a58b48c8ee5759f67bde72f9ec4a299701cc2fb0d8a0
                                            • Opcode Fuzzy Hash: 3a1234f2d6c257899c50f3031d53496fd5f1452c327c5530fc70863e4cc8c7f5
                                            • Instruction Fuzzy Hash: 7D217C311493C18FC713CB20C950B55BFB2AF57608F2985EED8848F6A3D73A9866DB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06203778 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560693928.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6200000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e775c482674a99a5618be422c02148b62045df9a437dc8c7e60cc526b632b902
                                            • Instruction ID: 284dd507d07464efa218b32501546d3d1c6280687be7d0b8463bbeae58966c40
                                            • Opcode Fuzzy Hash: e775c482674a99a5618be422c02148b62045df9a437dc8c7e60cc526b632b902
                                            • Instruction Fuzzy Hash: E011BAB5508341AFD350CF19D881A5BFBE4FBC8664F04896EF898D7311D231EA148FA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03210C34 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559658721.0000000003210000.00000040.00000020.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_3210000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1b8f98f97b62257ba6d3f0c240498de7038716f0704657816a7722b3d6912ddc
                                            • Instruction ID: 958fa02577ad5a6ef66de1a69501b317dd22ac0dd779237fa608940f1e6da3e7
                                            • Opcode Fuzzy Hash: 1b8f98f97b62257ba6d3f0c240498de7038716f0704657816a7722b3d6912ddc
                                            • Instruction Fuzzy Hash: 4C11B4342542819FD315CB14CB44B25FBE6AB58708F28C59CE9494B753C77BD8D3CA51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BF2B3 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47c0ff270dbb615af65bd3ba0f371ab74ff39dc24ad1efc93f464054526164c7
                                            • Instruction ID: cdf48bb3fb67ed3ea7fb4d7ff573983f6fc9c30f364bb7d572acc383744ca2a6
                                            • Opcode Fuzzy Hash: 47c0ff270dbb615af65bd3ba0f371ab74ff39dc24ad1efc93f464054526164c7
                                            • Instruction Fuzzy Hash: B8012630F252954FEF50DB7849411EEBFF2EFCA240B0845AEC009D7245DA348901C792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 032105CF Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559658721.0000000003210000.00000040.00000020.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_3210000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ab9e47f97a7e33260f7d74b6d20c80a25b17cc00c1b6c02bc0a0bb880eaeb98
                                            • Instruction ID: 4a4089f3d49dc504f15917b79e1b553446b0f604d57dd4dfa9b0cce9c39f6b24
                                            • Opcode Fuzzy Hash: 0ab9e47f97a7e33260f7d74b6d20c80a25b17cc00c1b6c02bc0a0bb880eaeb98
                                            • Instruction Fuzzy Hash: 92018BB55493805FD712CF16DC54862FFA8EF86620749C49FEC898B612D2256914CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BD4C8 Relevance: .0, Instructions: 38COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1093ddaf82e259e137f5918a9fe84c04aa7172525af758acb072fc94222b84e5
                                            • Instruction ID: 36e851cee465f931d50b0ebe93fd4ccd82057807e14d176dd12f2121cb724160
                                            • Opcode Fuzzy Hash: 1093ddaf82e259e137f5918a9fe84c04aa7172525af758acb072fc94222b84e5
                                            • Instruction Fuzzy Hash: E7F0F6313052505FC7158B38D494A5D7FF1EF8A211B1880EAE449CB362CA759C0ADB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03210CF0 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559658721.0000000003210000.00000040.00000020.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_3210000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
                                            • Instruction ID: 6a2a56dd08c0da8777191d3c53a0cb0788614743bfaf2aee7566bca07cec19a4
                                            • Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
                                            • Instruction Fuzzy Hash: 3AF0FB351046459FC316CF00D640B15FBE6FB89718F24C6A9E9490B762C7379863DA81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BD520 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d7ac435c20af275b35eae89f519ad68a22caa42f0427f0baa5e47b6815059a47
                                            • Instruction ID: 8ea74a77be4fd015469be00a0513143e170b254b5aff5ddf2c04c55f23181896
                                            • Opcode Fuzzy Hash: d7ac435c20af275b35eae89f519ad68a22caa42f0427f0baa5e47b6815059a47
                                            • Instruction Fuzzy Hash: 9AE0DF223192A01FCB16576D80A04AE3BBA8FC756131804EBE002CF2A7CD819C05C3A3
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 032105F6 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559658721.0000000003210000.00000040.00000020.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_3210000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f5f67acbee8592340b170689bdf4e74ebaf28bb00ef3a809db3324e4d6493535
                                            • Instruction ID: 0d2bcdec067878aa7e61f25e79efdb179f94759e43ec53cf619c1064dfa5acfb
                                            • Opcode Fuzzy Hash: f5f67acbee8592340b170689bdf4e74ebaf28bb00ef3a809db3324e4d6493535
                                            • Instruction Fuzzy Hash: 60E092766406004BD650DF0AEC81452F7D8EB88630B18C47FDC0D8B700D636B504CEA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 06202D7B Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560693928.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6200000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 56664fa4cb3a5753799a169a391128e63913fef29009477d2f5878ad3139e00d
                                            • Instruction ID: 57f8252bd0ecc29c9168cf35328d7ed17cb68d683efc4c7f854955e781ab3101
                                            • Opcode Fuzzy Hash: 56664fa4cb3a5753799a169a391128e63913fef29009477d2f5878ad3139e00d
                                            • Instruction Fuzzy Hash: 5EE0D87250120067D2109F069C85B22FB58DB84B30F04C56BED081F703E172B5248EF5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 062037E3 Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560693928.0000000006200000.00000040.00000800.00020000.00000000.sdmp, Offset: 06200000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_6200000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 222c855b124dd27faf05b926ab98686f62de6661be1738e2a9e126be465b0e89
                                            • Instruction ID: bbba6c72300bd5955c44367cb2c5df67a84ba68ecb73685f5c3bb097aff7123b
                                            • Opcode Fuzzy Hash: 222c855b124dd27faf05b926ab98686f62de6661be1738e2a9e126be465b0e89
                                            • Instruction Fuzzy Hash: 26E0D8B254130067D2509F069C85B12FB98DB84A30F04C46BED081F702E172B5248EF5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 059BD530 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.560341294.00000000059B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_59b0000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e567e0e486d53097bdf302f0dffd5717d2404115022c5eac5130b48db3b3e24e
                                            • Instruction ID: 1ea62b3b65fea34c59a79bed74f45375b005194d4840922444050e315e46c16b
                                            • Opcode Fuzzy Hash: e567e0e486d53097bdf302f0dffd5717d2404115022c5eac5130b48db3b3e24e
                                            • Instruction Fuzzy Hash: 98D0A73530001457C504626ED0508EE72DF9FC5572718107EF106CB364DE92DC1183D6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030B23F4 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559345957.00000000030B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B2000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30b2000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 971c4307155e17a9f936f060b12e6f4a27fc6885b527bba3ae4110fa4089c374
                                            • Instruction ID: c4f895c5a4478cfd3dc2f7cb858aec3aad94874ef3e43d21e1ea3183d026a8d8
                                            • Opcode Fuzzy Hash: 971c4307155e17a9f936f060b12e6f4a27fc6885b527bba3ae4110fa4089c374
                                            • Instruction Fuzzy Hash: 61D05E79206AC14FD326CA1CC2A8BD57FE8AF51B05F4A48F9E8008BA63C368D5D1D200
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 030B23BC Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000011.00000002.559345957.00000000030B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B2000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_17_2_30b2000_O.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f913b4deebb32fd67ecfa30c3166996ee84182eb1934c78a5f9822c3cb2ce28a
                                            • Instruction ID: 19234e5e5401247630e11de28153721284ba0b341a6ac903c3c868587a6a14fd
                                            • Opcode Fuzzy Hash: f913b4deebb32fd67ecfa30c3166996ee84182eb1934c78a5f9822c3cb2ce28a
                                            • Instruction Fuzzy Hash: 00D05E342012814BC716DB0CC698F9977E8AB41B00F0A48E8AC008B262C7B5D8C1C610
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Execution Graph

                                            Execution Coverage:25.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:7
                                            Total number of Limit Nodes:1
                                            execution_graph 4522 4a200f6 4523 4a2012a CreateMutexW 4522->4523 4525 4a201a5 4523->4525 4517 4a201f4 4518 4a20197 CreateMutexW 4517->4518 4521 4a20200 4517->4521 4520 4a201a5 4518->4520

                                            Executed Functions

                                            Function 048F3850 Relevance: .7, Instructions: 749COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 693 48f3850-48f3860 694 48f38cd-48f3955 call 48f2c58 693->694 695 48f3862-48f3879 693->695 718 48f3959-48f397f 694->718 719 48f3917-48f3957 694->719 702 48f387b-48f3895 695->702 711 48f389f-48f38a2 702->711 712 48f3893-48f389d 702->712 715 48f38a4-48f38bf 711->715 716 48f38c2-48f38cc 711->716 712->702 712->711 715->716 726 48f3a4a-48f3a96 718->726 727 48f3985-48f39de 718->727 719->718 724 48f3926-48f3936 719->724 724->718 729 48f3938-48f3945 724->729 746 48f3a98-48f3a9b 726->746 727->726 741 48f39ac-48f39b4 727->741 729->718 732 48f3947-48f3952 729->732 741->726 743 48f39ba-48f39d2 741->743 745 48f3a3c-48f3a3e 743->745 749 48f39e0-48f39e6 745->749 750 48f3a40-48f3a49 745->750 747 48f3a9d-48f3ab1 746->747 748 48f3af9-48f3b2f 746->748 753 48f3ab7-48f3ac5 747->753 754 48f3ab3-48f3ab5 747->754 759 48f3b36-48f3b3a 748->759 760 48f3b31 748->760 751 48f39e8-48f39fc 749->751 752 48f3a02-48f3a14 749->752 751->752 752->726 756 48f3a16-48f3a2f 752->756 766 48f3ac7-48f3ada 753->766 767 48f3ae5-48f3aec 753->767 754->753 757 48f3aef-48f3af3 754->757 756->726 761 48f3a31-48f3a3b 756->761 757->746 758 48f3af5-48f3af7 757->758 758->746 764 48f3d2a-48f3d30 759->764 765 48f3b40-48f3b49 759->765 763 48f3d22-48f3d29 760->763 761->745 773 48f3d84-48f3d8f 764->773 774 48f3d32-48f3d3d 764->774 768 48f3b4b-48f3b4d 765->768 769 48f3b57-48f3bc5 765->769 766->767 770 48f3adc 766->770 768->769 769->764 780 48f3b6f-48f3bd2 769->780 770->767 778 48f3f6d-48f3f85 773->778 779 48f3d95-48f3d9e 773->779 776 48f3d3f-48f3d51 774->776 777 48f3cc0 774->777 781 48f3d5d-48f3d83 776->781 782 48f3d53-48f3d55 776->782 783 48f3c7a-48f3c80 777->783 784 48f3cc2-48f3d12 777->784 798 48f3f08-48f3f0e 778->798 799 48f3f87-48f3fb9 778->799 785 48f3da4-48f3dad 779->785 786 48f3e71-48f3e75 779->786 838 48f3b97-48f3bdf 780->838 781->773 782->781 783->764 790 48f3c86-48f3cbf 783->790 806 48f3d16-48f3d1c 784->806 785->778 792 48f3db3-48f3dbc 785->792 787 48f3e9b-48f3ea4 786->787 788 48f3e77-48f3e83 786->788 795 48f3ebc-48f3ec2 787->795 796 48f3ea6-48f3eb9 787->796 788->778 793 48f3e89-48f3e99 788->793 790->777 801 48f3e4d-48f3e56 792->801 802 48f3dc2-48f3dce 792->802 803 48f3ec5-48f3ece 793->803 795->803 796->795 798->778 805 48f3f10-48f3f2a 798->805 836 48f3fcf-48f3ff0 799->836 837 48f3fbb 799->837 801->778 807 48f3e5c-48f3e6b 801->807 802->778 808 48f3dd4-48f3dff 802->808 803->778 810 48f3ed4-48f3ee6 803->810 805->778 813 48f3f2c-48f3f57 805->813 806->763 814 48f3be1-48f3bf1 806->814 807->785 807->786 808->801 820 48f3e01-48f3e08 808->820 810->778 818 48f3eec-48f3efc 810->818 813->778 848 48f3f59-48f3f60 813->848 814->764 816 48f3bf7-48f3c01 814->816 821 48f3c0f-48f3c20 816->821 822 48f3c03-48f3c05 816->822 818->778 823 48f3efe-48f3f05 818->823 826 48f3e0a 820->826 827 48f3e14-48f3e1d 820->827 821->764 829 48f3c26-48f3c30 821->829 822->821 823->798 826->827 827->778 832 48f3e23-48f3e48 827->832 833 48f3c3e-48f3c4e 829->833 834 48f3c32-48f3c34 829->834 853 48f3f63-48f3f6a 832->853 833->764 839 48f3c54-48f3c5a 833->839 834->833 841 48f3fbe-48f3fc0 837->841 838->806 844 48f3c5c-48f3c62 839->844 845 48f3c74-48f3c77 839->845 846 48f3fc2-48f3fcd 841->846 847 48f3ff1-48f402c 841->847 851 48f3c66-48f3c72 844->851 852 48f3c64 844->852 845->783 846->836 846->841 863 48f402e 847->863 864 48f4033-48f403a 847->864 848->853 851->845 852->845 865 48f40c1-48f40c8 863->865 867 48f403c 864->867 868 48f4043-48f408f call 48f23a0 864->868 867->868 868->865
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f7df1c65cacbc3bb85a03c3e6afd682c58bad3c52b241f61cd0afc676a7d4ea1
                                            • Instruction ID: 2c0d057bcfa73e0abdfab481ee58855e33c35c2fc9d714aef409b256506bccab
                                            • Opcode Fuzzy Hash: f7df1c65cacbc3bb85a03c3e6afd682c58bad3c52b241f61cd0afc676a7d4ea1
                                            • Instruction Fuzzy Hash: BE52D571A04259CFCB05CF68C984969BBB2FF85304B19CAA6DA09DF216D731FD41CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F23A0 Relevance: .5, Instructions: 505COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 878 48f23a0-48f23d3 879 48f23dc-48f23e5 878->879 880 48f23d5-48f23da 878->880 879->880 882 48f23e7-48f23f0 880->882 1032 48f23f2 call 24705f6 882->1032 1033 48f23f2 call 24705cf 882->1033 883 48f23f8-48f2400 886 48f23fe-48f2422 883->886 887 48f2424-48f242b 883->887 897 48f2af3-48f2afe 886->897 889 48f26aa 887->889 890 48f2431-48f24bf 887->890 892 48f26b0-48f26ba 889->892 984 48f24cc 890->984 985 48f24a2-48f24ca 890->985 893 48f26bc-48f26d1 892->893 894 48f2721-48f2752 892->894 903 48f2aee 893->903 904 48f26d7-48f26e1 893->904 905 48f275f-48f2769 894->905 906 48f2754-48f275a 894->906 913 48f2aff 897->913 903->897 904->903 910 48f26e7-48f26f1 904->910 908 48f276b-48f2784 905->908 909 48f2786 905->909 907 48f27e0-48f27fd 906->907 921 48f286f-48f28de 907->921 922 48f27ff-48f2823 907->922 912 48f2788-48f278a 908->912 909->912 910->903 914 48f26f7-48f271c 910->914 917 48f278c-48f278e 912->917 918 48f2790-48f27aa 912->918 913->913 914->897 917->907 918->907 929 48f27ac-48f27af 918->929 938 48f2933-48f2942 921->938 939 48f28e0-48f28e4 921->939 922->903 930 48f2829-48f2830 922->930 931 48f27b2-48f27b7 929->931 930->903 933 48f2836-48f2842 930->933 931->903 935 48f27bd-48f27de 931->935 933->903 937 48f2848-48f2854 933->937 935->907 935->931 937->903 943 48f285a-48f286a 937->943 941 48f294b-48f294f 938->941 942 48f2944-48f2949 938->942 939->938 944 48f28e6-48f28e9 939->944 941->903 947 48f2955-48f295d 941->947 946 48f29b1-48f29b5 942->946 943->882 949 48f28ec-48f28f6 944->949 951 48f2a0a-48f2a24 946->951 952 48f29b7-48f29be 946->952 947->903 950 48f2963-48f2970 947->950 949->903 953 48f28fc-48f2911 949->953 950->903 956 48f2976-48f2983 950->956 969 48f2a26-48f2a3c 951->969 952->951 957 48f29c0-48f29d2 952->957 953->903 955 48f2917-48f2924 953->955 955->903 958 48f292a-48f2931 955->958 956->903 959 48f2989-48f29a6 956->959 963 48f29fd-48f2a08 957->963 964 48f29d4-48f29d7 957->964 958->938 958->949 959->946 963->969 968 48f29da-48f29df 964->968 968->903 971 48f29e5-48f29ed 968->971 974 48f2a3e-48f2a6e 969->974 975 48f2a70-48f2a74 969->975 971->903 976 48f29f3-48f29fb 971->976 974->975 977 48f2ad6-48f2aec 975->977 978 48f2a76-48f2a89 975->978 976->963 976->968 977->897 1024 48f2a8b call 24705f6 978->1024 1025 48f2a8b call 24705cf 978->1025 986 48f24ce-48f24dc 984->986 985->986 989 48f24de-48f24e9 986->989 990 48f24eb-48f24ed 986->990 987 48f2a91-48f2ab2 987->977 991 48f2ab4-48f2ad0 987->991 993 48f24f3-48f24f5 989->993 990->993 991->977 995 48f24f7 993->995 996 48f2501-48f2523 993->996 995->996 999 48f2525-48f2534 996->999 1000 48f2540-48f2543 996->1000 999->1000 1003 48f2536 999->1003 1001 48f254c-48f256b 1000->1001 1002 48f2545 1000->1002 1030 48f256d call 24705f6 1001->1030 1031 48f256d call 24705cf 1001->1031 1002->1001 1003->1000 1005 48f2573-48f2596 1008 48f2598-48f25b5 1005->1008 1009 48f25b7-48f25c5 1005->1009 1012 48f25d0-48f260c 1008->1012 1009->1012 1015 48f260e-48f2615 1012->1015 1016 48f261d-48f2633 1012->1016 1015->1016 1019 48f2635-48f2639 1016->1019 1020 48f2643-48f264b 1016->1020 1019->1020 1021 48f263b-48f263d 1019->1021 1026 48f2651 call 24705f6 1020->1026 1027 48f2651 call 48f2fa8 1020->1027 1028 48f2651 call 24705cf 1020->1028 1029 48f2651 call 48f2f97 1020->1029 1021->1020 1022 48f2657-48f269c 1022->892 1023 48f269e-48f26a8 1022->1023 1023->892 1024->987 1025->987 1026->1022 1027->1022 1028->1022 1029->1022 1030->1005 1031->1005 1032->883 1033->883
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 065de075de27670c12fac5c019cbd2527f3b305275a8ca281f10789c6f8ed027
                                            • Instruction ID: 9c89fe22e416a45a53655cd403382ae05159db5996215aba0f029bbf47696f46
                                            • Opcode Fuzzy Hash: 065de075de27670c12fac5c019cbd2527f3b305275a8ca281f10789c6f8ed027
                                            • Instruction Fuzzy Hash: C612E130A00615CFD724DF29CC846ADB7F2BF88305F54CAA9D505EB256EB7AA885CF50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F2FA8 Relevance: .2, Instructions: 239COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e9c77590c790146fb5b90a311b2abd2c97716ab1523a2b4aa2380bf877aba1c
                                            • Instruction ID: ae9e8079fbe00005abe0058d5088ce1d516a12d5c6de6586dbf74afb630f891b
                                            • Opcode Fuzzy Hash: 6e9c77590c790146fb5b90a311b2abd2c97716ab1523a2b4aa2380bf877aba1c
                                            • Instruction Fuzzy Hash: CA81AE31F011199BC704DB68D894AAEB7F3AFC4310F2A8575E915EB365EE35EC018B90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F09A5 Relevance: 5.1, Strings: 4, Instructions: 135COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 48f09a5-48f09dc 49 48f09de call 48f0baf 0->49 50 48f09de call 48f0bc0 0->50 4 48f09e4-48f09ef 51 48f09f5 call 48f11df 4->51 52 48f09f5 call 24705f6 4->52 53 48f09f5 call 48f1209 4->53 54 48f09f5 call 48f1218 4->54 55 48f09f5 call 24705cf 4->55 6 48f09fb-48f0a2c 56 48f0a2e call 48f1c6f 6->56 57 48f0a2e call 48f1e4e 6->57 58 48f0a2e call 48f1d8c 6->58 59 48f0a2e call 48f1f4c 6->59 60 48f0a2e call 48f1b4b 6->60 61 48f0a2e call 48f1a89 6->61 62 48f0a2e call 24705cf 6->62 63 48f0a2e call 48f1ce5 6->63 64 48f0a2e call 48f1ae4 6->64 65 48f0a2e call 48f1a22 6->65 66 48f0a2e call 48f12a0 6->66 67 48f0a2e call 24705f6 6->67 68 48f0a2e call 48f1458 6->68 69 48f0a2e call 48f1298 6->69 70 48f0a2e call 48f1bb5 6->70 71 48f0a2e call 48f1c14 6->71 10 48f0a34-48f0a46 11 48f0a4c-48f0a56 10->11 12 48f0b00-48f0b28 10->12 13 48f0a58-48f0a5a 11->13 14 48f0a64-48f0a92 11->14 78 48f0b2a call 24705f6 12->78 79 48f0b2a call 24705cf 12->79 13->14 14->12 20 48f0a94-48f0a9e 14->20 17 48f0b2f-48f0b39 24 48f0b3f-48f0b55 17->24 25 48f0b37-48f0b3d 17->25 22 48f0aac-48f0ace 20->22 23 48f0aa0-48f0aa2 20->23 72 48f0ad0 call 24705f6 22->72 73 48f0ad0 call 24705cf 22->73 23->22 33 48f0b5b-48f0b6e 24->33 34 48f0b53-48f0b59 24->34 28 48f0ba7-48f0bac 25->28 41 48f0b6c-48f0b72 33->41 42 48f0b74-48f0b81 33->42 34->28 37 48f0ad6 74 48f0ad9 call 24705f6 37->74 75 48f0ad9 call 24705cf 37->75 76 48f0ad9 call 48f3840 37->76 77 48f0ad9 call 48f3850 37->77 40 48f0adf-48f0aeb 41->28 45 48f0b87-48f0b89 42->45 46 48f0b83-48f0b85 42->46 47 48f0b93-48f0ba5 45->47 46->28 47->28 49->4 50->4 51->6 52->6 53->6 54->6 55->6 56->10 57->10 58->10 59->10 60->10 61->10 62->10 63->10 64->10 65->10 66->10 67->10 68->10 69->10 70->10 71->10 72->37 73->37 74->40 75->40 76->40 77->40 78->17 79->17
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: X1q$X1q$X1q$X1q
                                            • API String ID: 0-1201878573
                                            • Opcode ID: c7c6504c62fc6b21986e0c686e6359bb51c31ef9f2419c538c36b7f7112f88c4
                                            • Instruction ID: c5e07a486686743290c7a7dfd7fbdfd1d2db6832df4ef661aea2699262ee347b
                                            • Opcode Fuzzy Hash: c7c6504c62fc6b21986e0c686e6359bb51c31ef9f2419c538c36b7f7112f88c4
                                            • Instruction Fuzzy Hash: 3241E531B04205DFCB059BA8DC58AADB7F2FF45304F2585A9E546DB2A2CB31AC06CB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F12A0 Relevance: 1.7, Strings: 1, Instructions: 460COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 80 48f12a0-48f12d5 81 48f12ef-48f12f8 80->81 82 48f12d7-48f13f8 80->82 81->82 97 48f139f-48f140e 82->97 98 48f1394-48f139a 82->98 104 48f1587-48f15ba 97->104 105 48f13d7-48f154d 97->105 98->97 112 48f1fac-48f1fdc 104->112 113 48f15c0-48f15f4 104->113 118 48f15f9-48f160a 112->118 119 48f1fe2-48f1fe4 112->119 113->112 118->112 122 48f1610 118->122 119->118 120 48f1fea-48f203b 119->120 194 48f203c 120->194 124 48f181b-48f184a 122->124 125 48f19ba-48f19ea 122->125 126 48f1669-48f1698 122->126 127 48f18e9-48f191b 122->127 128 48f1617-48f1642 122->128 129 48f1775-48f179d 122->129 130 48f16c4-48f16e8 122->130 131 48f17c4-48f17f4 122->131 132 48f1953-48f1982 122->132 133 48f1722-48f174e 122->133 134 48f1882-48f18b1 122->134 174 48f184c-48f1850 124->174 175 48f1857-48f187d 124->175 162 48f19ec-48f19f0 125->162 163 48f19f7-48f1a1d 125->163 170 48f169a-48f169e 126->170 171 48f16a5-48f16bf 126->171 178 48f191d-48f1921 127->178 179 48f1928-48f194e 127->179 180 48f164f-48f1664 128->180 181 48f1644-48f1648 128->181 168 48f179f-48f17a3 129->168 169 48f17aa-48f17bf 129->169 150 48f16f0-48f16fb 130->150 160 48f17f6-48f17fa 131->160 161 48f1801-48f1816 131->161 172 48f198f-48f19b5 132->172 173 48f1984-48f1988 132->173 176 48f175b-48f1770 133->176 177 48f1750-48f1754 133->177 166 48f18be-48f18e4 134->166 167 48f18b3-48f18b7 134->167 164 48f16fd-48f1701 150->164 165 48f1708-48f171d 150->165 160->161 161->112 162->163 163->112 164->165 165->112 166->112 167->166 168->169 169->112 170->171 171->112 172->112 173->172 174->175 175->112 176->112 177->176 178->179 179->112 180->112 181->180 194->194
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $gq
                                            • API String ID: 0-815412418
                                            • Opcode ID: 0fe5de47d3cb2869e2565f6090ed3b2cdc14007e9b61e68c8872b0b59f4a541a
                                            • Instruction ID: dd230d7aedb9f460bcc1494685252dc12f8ecd203217d8b6753d80c6a3088f0e
                                            • Opcode Fuzzy Hash: 0fe5de47d3cb2869e2565f6090ed3b2cdc14007e9b61e68c8872b0b59f4a541a
                                            • Instruction Fuzzy Hash: 7822F234A00615CFCB24DF28C994A6AB7F2FF88300B50CAA9D85A9B756DB34ED45CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04A201F4 Relevance: 1.6, APIs: 1, Instructions: 101synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 195 4a201f4-4a201fe 196 4a20200 195->196 197 4a201e8-4a201eb CreateMutexW 195->197 199 4a20202-4a20219 196->199 200 4a2021a-4a2025c 196->200 204 4a201a5-4a201bb 197->204 199->200 202 4a2025e-4a2027e 200->202 203 4a2029d-4a202a2 200->203 212 4a20280-4a2029c 202->212 213 4a202a4-4a202a9 202->213 203->202 205 4a201ed-4a201f2 204->205 206 4a201bd-4a201e3 204->206 205->206 213->212
                                            APIs
                                            • CreateMutexW.KERNELBASE(?,?), ref: 04A2019D
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466478614.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_4a20000_dhcpmon.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID:
                                            • API String ID: 1964310414-0
                                            • Opcode ID: d20bbb9c9970b215301fc58d7df28e80e9f6d0de3bddaa81f93b08979d36d928
                                            • Instruction ID: 25af6e6e5c78cc96048d2e1bfc94263205868d606f607e53913f71b2a4bd66f0
                                            • Opcode Fuzzy Hash: d20bbb9c9970b215301fc58d7df28e80e9f6d0de3bddaa81f93b08979d36d928
                                            • Instruction Fuzzy Hash: D131E4755093849FE712CF28D945B96BFA4EF46324F0884ABDD858F253D235A908CB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04A200F6 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 215 4a200f6-4a20179 219 4a2017b 215->219 220 4a2017e-4a20187 215->220 219->220 221 4a20189 220->221 222 4a2018c-4a20195 220->222 221->222 223 4a201e6-4a201eb 222->223 224 4a20197-4a201bb CreateMutexW 222->224 223->224 227 4a201ed-4a201f2 224->227 228 4a201bd-4a201e3 224->228 227->228
                                            APIs
                                            • CreateMutexW.KERNELBASE(?,?), ref: 04A2019D
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466478614.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_4a20000_dhcpmon.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID:
                                            • API String ID: 1964310414-0
                                            • Opcode ID: 1cf0d88868ee077693ecd6e8bca7e2ce0e586903fdaaeb6ae894fbe2e37091c4
                                            • Instruction ID: 4da28c4777359a83ee207df3d9cf335be5209ceb5758129af191b834f2b6502d
                                            • Opcode Fuzzy Hash: 1cf0d88868ee077693ecd6e8bca7e2ce0e586903fdaaeb6ae894fbe2e37091c4
                                            • Instruction Fuzzy Hash: 7E31B1715093806FE722CF29CD85B56FFE8EF06310F08849AE984DB293D335A908C761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04A2012A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 231 4a2012a-4a20179 234 4a2017b 231->234 235 4a2017e-4a20187 231->235 234->235 236 4a20189 235->236 237 4a2018c-4a20195 235->237 236->237 238 4a201e6-4a201eb 237->238 239 4a20197-4a201bb CreateMutexW 237->239 238->239 242 4a201ed-4a201f2 239->242 243 4a201bd-4a201e3 239->243 242->243
                                            APIs
                                            • CreateMutexW.KERNELBASE(?,?), ref: 04A2019D
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466478614.0000000004A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_4a20000_dhcpmon.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID:
                                            • API String ID: 1964310414-0
                                            • Opcode ID: 150a05f6f700b98615cc6c2be21444febea262815476af30eac1ffe59bc9870a
                                            • Instruction ID: 8ec7724d33d77f523e76f4f1734c0c35bc1170974bba5bdd4f5b0ad0c8cd4711
                                            • Opcode Fuzzy Hash: 150a05f6f700b98615cc6c2be21444febea262815476af30eac1ffe59bc9870a
                                            • Instruction Fuzzy Hash: 6521D471605244AFE721DF29CE85B6AFBE8EF04310F14846AEE489B242D771F504CB71
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F20D0 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 246 48f20d0-48f20e2 247 48f20e6 246->247 248 48f20e4-48f20ea 246->248 247->248 250 48f2195-48f2198 248->250 251 48f20ef-48f20f2 250->251 252 48f219e-48f21a5 250->252 253 48f20f8-48f20fe 251->253 254 48f21a6-48f21c2 251->254 255 48f2118-48f2147 253->255 256 48f2100-48f2106 253->256 261 48f21f5-48f2212 254->261 262 48f21c4 254->262 255->254 265 48f2126-48f2143 255->265 259 48f210a-48f2116 256->259 260 48f2108 256->260 259->255 260->255 314 48f2217 call 24705f6 261->314 315 48f2217 call 24705cf 261->315 316 48f21c6 call 24705f6 262->316 317 48f21c6 call 48f25de 262->317 318 48f21c6 call 24705cf 262->318 319 48f21c6 call 48f2390 262->319 320 48f21c6 call 48f23a0 262->320 276 48f216f-48f218b 265->276 277 48f2145-48f216d 265->277 266 48f221d-48f2270 286 48f223c-48f2274 266->286 267 48f21cc-48f21e1 283 48f2193-48f2194 276->283 277->283 283->250 292 48f225e-48f2281 286->292 293 48f2283-48f2285 286->293 294 48f2288-48f228c 292->294 293->294 296 48f228e 294->296 297 48f2295-48f2299 294->297 296->297 299 48f229b-48f22a6 297->299 300 48f22a8-48f22aa 297->300 301 48f22ad-48f22ba 299->301 300->301 304 48f22bc-48f22ce 301->304 305 48f22d0-48f22d4 301->305 306 48f2333-48f233f 304->306 307 48f22e6-48f230d 305->307 308 48f22d6-48f22e4 305->308 312 48f231f-48f232c 307->312 313 48f230f-48f231d 307->313 308->306 312->306 313->306 314->266 315->266 316->267 317->267 318->267 319->267 320->267
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: r*+
                                            • API String ID: 0-3221063712
                                            • Opcode ID: 41e77d462017f7b62c00e8c175fa60d4c49eb42ba531bf5e438de37b39eeb5bd
                                            • Instruction ID: 14b8ade3915ca0aaef32cda7a08659b4aef5c9b92ca28fce82f3dbce985cb90e
                                            • Opcode Fuzzy Hash: 41e77d462017f7b62c00e8c175fa60d4c49eb42ba531bf5e438de37b39eeb5bd
                                            • Instruction Fuzzy Hash: B1718230A08249DFCB05DFA4C9456BEBBB1FF85304F508AEAC602DB265E7366D41DB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F02E8 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 321 48f02e8-48f0316 322 48f032a-48f0337 321->322 323 48f0318-48f0324 321->323 327 48f0339-48f0353 322->327 328 48f03a5-48f03d0 322->328 323->322 326 48f0506-48f0510 323->326 331 48f0357 327->331 332 48f0355 327->332 340 48f0373-48f038a 328->340 341 48f03d2-48f03dc 328->341 333 48f035a-48f036d 331->333 332->333 339 48f051c-48f05b5 333->339 333->340 347 48f038e 340->347 348 48f038c 340->348 342 48f03ef 341->342 343 48f03de-48f03e5 341->343 346 48f03f6-48f04df 342->346 343->342 359 48f04e3 346->359 360 48f04e1 346->360 350 48f0391-48f03a3 347->350 348->350 350->341 361 48f04e6-48f04fb 359->361 360->361 361->326
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: `5q
                                            • API String ID: 0-3867205651
                                            • Opcode ID: a1cb0d074c962c1ffe800bd9114e11cd1dc8736962e5c912c3e8e204bba553e6
                                            • Instruction ID: a878580456c15cf528033a665b3cfebf16bc46f950e45b2fcf2cbc9528fbdc93
                                            • Opcode Fuzzy Hash: a1cb0d074c962c1ffe800bd9114e11cd1dc8736962e5c912c3e8e204bba553e6
                                            • Instruction Fuzzy Hash: 6C519E34B052058FDB09DB68C9506AD7BF2FF8A304F2485A9D646EB392DB35AC41CB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F0BC0 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 369 48f0bc0-48f0be0 370 48f0c48 369->370 371 48f0be2-48f0bfe 369->371 370->371 374 48f0c56-48f0d05 371->374 375 48f0c00-48f0c05 371->375 399 48f0ced-48f0d00 374->399 376 48f0c1f-48f0c54 375->376 377 48f0c07-48f0c0d 375->377 379 48f0c0f 377->379 380 48f0c11-48f0c1d 377->380 379->376 380->376
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: hXMr
                                            • API String ID: 0-1185242784
                                            • Opcode ID: e8b8a0634b0580c499616385c28cba73a784d43f7563589fe78e91ecc1da3699
                                            • Instruction ID: 5c4168576b46f7cddaeeaa6d35423b2216ef3186e4f56c7dd6a84c4be82ee150
                                            • Opcode Fuzzy Hash: e8b8a0634b0580c499616385c28cba73a784d43f7563589fe78e91ecc1da3699
                                            • Instruction Fuzzy Hash: 52411A31B05118CFC7059B68C8146AE7BF7BFC6310F15856AE906DF3A2DEB1AD068792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F2D58 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 401 48f2d58-48f2d8a 405 48f2d8c 401->405 406 48f2d91 401->406 407 48f2e9d-48f2ea4 405->407 440 48f2d91 call 48f2d58 406->440 441 48f2d91 call 48f2d47 406->441 442 48f2d91 call 48f2ec0 406->442 408 48f2d97-48f2d99 409 48f2d9b 408->409 410 48f2da0-48f2e13 408->410 409->407 414 48f2dbf-48f2dc9 410->414 415 48f2ea7-48f2ebc 410->415 414->415 416 48f2dcf-48f2dd9 414->416 420 48f2e4f-48f2e67 415->420 421 48f2ebe-48f2ecb 415->421 416->415 417 48f2ddf-48f2de9 416->417 417->415 419 48f2def-48f2e22 417->419 426 48f2e76-48f2e7a 419->426 420->415 422 48f2e69-48f2e73 420->422 424 48f2ecd-48f2ed0 421->424 425 48f2ed1-48f2ed7 421->425 422->426 428 48f2e7c 426->428 429 48f2e24-48f2e39 426->429 431 48f2e7e-48f2e80 428->431 429->415 433 48f2e3b-48f2e4c 429->433 431->415 434 48f2e82-48f2e8c 431->434 433->420 434->431 436 48f2e8e-48f2e9a 434->436 436->407 440->408 441->408 442->408
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 1fa3cb9d1de39113143c9bb9188aa6b0d96306bc95a303efc8cd834d22158cf3
                                            • Instruction ID: 5d486d193bb72f4af00dc1b6e80212c87b2384b98b8854368e85b6a580358687
                                            • Opcode Fuzzy Hash: 1fa3cb9d1de39113143c9bb9188aa6b0d96306bc95a303efc8cd834d22158cf3
                                            • Instruction Fuzzy Hash: 2241C531F04119CBCB10DFA9CC405AE7762FBC0318B25CEA6D615DB646D636F8528B92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F1458 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 443 48f1458-48f1582 453 48f14c7-48f1510 443->453 454 48f1587-48f15ba 443->454 461 48f151d-48f1545 453->461 462 48f1512-48f1518 453->462 463 48f1fac-48f1fdc 454->463 464 48f15c0-48f15f4 454->464 461->454 462->461 471 48f15f9-48f160a 463->471 472 48f1fe2-48f1fe4 463->472 464->463 471->463 475 48f1610 471->475 472->471 473 48f1fea-48f203b 472->473 547 48f203c 473->547 477 48f181b-48f184a 475->477 478 48f19ba-48f19ea 475->478 479 48f1669-48f1698 475->479 480 48f18e9-48f191b 475->480 481 48f1617-48f1642 475->481 482 48f1775-48f179d 475->482 483 48f16c4-48f16e8 475->483 484 48f17c4-48f17f4 475->484 485 48f1953-48f1982 475->485 486 48f1722-48f174e 475->486 487 48f1882-48f18b1 475->487 527 48f184c-48f1850 477->527 528 48f1857-48f187d 477->528 515 48f19ec-48f19f0 478->515 516 48f19f7-48f1a1d 478->516 523 48f169a-48f169e 479->523 524 48f16a5-48f16bf 479->524 531 48f191d-48f1921 480->531 532 48f1928-48f194e 480->532 533 48f164f-48f1664 481->533 534 48f1644-48f1648 481->534 521 48f179f-48f17a3 482->521 522 48f17aa-48f17bf 482->522 503 48f16f0-48f16fb 483->503 513 48f17f6-48f17fa 484->513 514 48f1801-48f1816 484->514 525 48f198f-48f19b5 485->525 526 48f1984-48f1988 485->526 529 48f175b-48f1770 486->529 530 48f1750-48f1754 486->530 519 48f18be-48f18e4 487->519 520 48f18b3-48f18b7 487->520 517 48f16fd-48f1701 503->517 518 48f1708-48f171d 503->518 513->514 514->463 515->516 516->463 517->518 518->463 519->463 520->519 521->522 522->463 523->524 524->463 525->463 526->525 527->528 528->463 529->463 530->529 531->532 532->463 533->463 534->533 547->547
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $gq
                                            • API String ID: 0-815412418
                                            • Opcode ID: e7588100e4f206e5fe84cb734349a5425fb4a77a871771ced1aaba0c3551750b
                                            • Instruction ID: bbc92a5097af93ac96f87d829d94321cf836fbec2c7efe7de2ebce2f5aa3e1d8
                                            • Opcode Fuzzy Hash: e7588100e4f206e5fe84cb734349a5425fb4a77a871771ced1aaba0c3551750b
                                            • Instruction Fuzzy Hash: 14512834A01219CFDB14DF64C898B9CBBB2BF49304F5085E9D50AAB366DB39AD84CF51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F1298 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 548 48f1298-48f13f8 565 48f139f-48f140e 548->565 566 48f1394-48f139a 548->566 572 48f1587-48f15ba 565->572 573 48f13d7-48f154d 565->573 566->565 580 48f1fac-48f1fdc 572->580 581 48f15c0-48f15f4 572->581 586 48f15f9-48f160a 580->586 587 48f1fe2-48f1fe4 580->587 581->580 586->580 590 48f1610 586->590 587->586 588 48f1fea-48f203b 587->588 662 48f203c 588->662 592 48f181b-48f184a 590->592 593 48f19ba-48f19ea 590->593 594 48f1669-48f1698 590->594 595 48f18e9-48f191b 590->595 596 48f1617-48f1642 590->596 597 48f1775-48f179d 590->597 598 48f16c4-48f16e8 590->598 599 48f17c4-48f17f4 590->599 600 48f1953-48f1982 590->600 601 48f1722-48f174e 590->601 602 48f1882-48f18b1 590->602 642 48f184c-48f1850 592->642 643 48f1857-48f187d 592->643 630 48f19ec-48f19f0 593->630 631 48f19f7-48f1a1d 593->631 638 48f169a-48f169e 594->638 639 48f16a5-48f16bf 594->639 646 48f191d-48f1921 595->646 647 48f1928-48f194e 595->647 648 48f164f-48f1664 596->648 649 48f1644-48f1648 596->649 636 48f179f-48f17a3 597->636 637 48f17aa-48f17bf 597->637 618 48f16f0-48f16fb 598->618 628 48f17f6-48f17fa 599->628 629 48f1801-48f1816 599->629 640 48f198f-48f19b5 600->640 641 48f1984-48f1988 600->641 644 48f175b-48f1770 601->644 645 48f1750-48f1754 601->645 634 48f18be-48f18e4 602->634 635 48f18b3-48f18b7 602->635 632 48f16fd-48f1701 618->632 633 48f1708-48f171d 618->633 628->629 629->580 630->631 631->580 632->633 633->580 634->580 635->634 636->637 637->580 638->639 639->580 640->580 641->640 642->643 643->580 644->580 645->644 646->647 647->580 648->580 649->648 662->662
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $gq
                                            • API String ID: 0-815412418
                                            • Opcode ID: 8b098f53202f25aafee80b5e7bb2971dfc5815d2660d42036d258be8aaad5763
                                            • Instruction ID: deff2ef3fdf9a1640302bbd6dd4aee2e0ddc0644d9bf75321b2c93ff0696e0b6
                                            • Opcode Fuzzy Hash: 8b098f53202f25aafee80b5e7bb2971dfc5815d2660d42036d258be8aaad5763
                                            • Instruction Fuzzy Hash: 86412734A04219CFDB54DF68C898BADBBB1BB49304F0045A9D54AEB356DB34AD84CF61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F05C0 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 663 48f05c0-48f05cf 664 48f05d6-48f0610 663->664 670 48f0615-48f061e 664->670 672 48f0623-48f064b 670->672
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8$q
                                            • API String ID: 0-2903697390
                                            • Opcode ID: 0de98ac33b0eb255ef293d3803c88dbf3c87bbd38645d7a706c42af12fdf1b6d
                                            • Instruction ID: ebcbdd5f37544ed07b68ee65c1b16da5c34b9785d1795c7f33baefe6bcee034f
                                            • Opcode Fuzzy Hash: 0de98ac33b0eb255ef293d3803c88dbf3c87bbd38645d7a706c42af12fdf1b6d
                                            • Instruction Fuzzy Hash: 1FF0FF307411240FCA09277D69125BE228BAFC6641B18403EF106EB3AACEA85C4703E3
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F05C8 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 678 48f05c8-48f061e 687 48f0623-48f064b 678->687
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8$q
                                            • API String ID: 0-2903697390
                                            • Opcode ID: 2b3aa366aa53f6ed4271c40b96770842901787dfe1ecfdb47e7e24d8c4740543
                                            • Instruction ID: d0f6a81d7d080d3c0feae96aa0487f58a3bceeb20b8f99032d60c50dfb40ddc3
                                            • Opcode Fuzzy Hash: 2b3aa366aa53f6ed4271c40b96770842901787dfe1ecfdb47e7e24d8c4740543
                                            • Instruction Fuzzy Hash: ACF0BB213011241FC609377D69125BF228FAFC5A51B54443EF106E73A9DDB96C4703E7
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F068B Relevance: .1, Instructions: 145COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae170e64083d4094812391d926f8c79f63c7f1355ff1f0dcbfcc6551a5c027fe
                                            • Instruction ID: ca105a1f16730858cdedd0323087f455946bef2b3eb9571db56133bf3e3955de
                                            • Opcode Fuzzy Hash: ae170e64083d4094812391d926f8c79f63c7f1355ff1f0dcbfcc6551a5c027fe
                                            • Instruction Fuzzy Hash: 154184303092058FD7056B78ED0D6AD376ABF81702B54896DF503CB2BAEF795C429B92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F2BF8 Relevance: .1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9437b966b4275e38b9f17c3082dae4034f599f81e455fd1fac41daf5827a9c46
                                            • Instruction ID: 9c9b869c748f3f5d218bf3ac8e5bbbb1321138e53eb1029cdbad1dac92a5811a
                                            • Opcode Fuzzy Hash: 9437b966b4275e38b9f17c3082dae4034f599f81e455fd1fac41daf5827a9c46
                                            • Instruction Fuzzy Hash: 9F41273460D389DFC31697289C545747FB4AF43218B0A8AE7D286CF263F726AC05D762
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F0690 Relevance: .1, Instructions: 123COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8721bb50f53567782efefbdd39ccb83a1d988f0ba2897ec21d9dc050ffbcaaaf
                                            • Instruction ID: a3644cf16e25978c4d625d11978545c9341b965d8ac9b6afa5f3cbb46883f8af
                                            • Opcode Fuzzy Hash: 8721bb50f53567782efefbdd39ccb83a1d988f0ba2897ec21d9dc050ffbcaaaf
                                            • Instruction Fuzzy Hash: 944162302082058BD7056B78EC0D6AD3BAABF81702754896DF503CB2B6EF744C429B92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F02DC Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6da41806e22eea8f7be082b4edf658d209a9720fe46923702e7a0b5fa714927a
                                            • Instruction ID: d96139eb62fbe8ae00a59c6479c19d2268b176f1fd4b22b36f33a69782d173cf
                                            • Opcode Fuzzy Hash: 6da41806e22eea8f7be082b4edf658d209a9720fe46923702e7a0b5fa714927a
                                            • Instruction Fuzzy Hash: 13316F34B012058FDB19CB68C954BAD7BB2FF8A314F144969D642EB3A2DB71AC40CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F0007 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7860dc87c98d328d4ee24c27c0864e05558ac1b0f396c4e1fb17a12ab1e2ea20
                                            • Instruction ID: 78208a2dce3003439f28bd742a9052a633b7c1c648ce22f1a58ef600432189ce
                                            • Opcode Fuzzy Hash: 7860dc87c98d328d4ee24c27c0864e05558ac1b0f396c4e1fb17a12ab1e2ea20
                                            • Instruction Fuzzy Hash: B731587060E3C69FC707AB7498684597FB1BE83204B49899FD1C1CB1A7EB789849DB13
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F25DE Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e976dbce920ba7d2d27c19f90f37d1ad1656f7f52f75897dc525e302d4bc8b7
                                            • Instruction ID: 2afa83e9da198b6e48d179a84225c3faeed8033e13517bcb378ee7c5eb56f84c
                                            • Opcode Fuzzy Hash: 9e976dbce920ba7d2d27c19f90f37d1ad1656f7f52f75897dc525e302d4bc8b7
                                            • Instruction Fuzzy Hash: 0E31C130A00249CFDB20DF66C94469EFBF2BF44304F10C669C105EB266DBB9A989CF41
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F21E8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 752287864c4878b8373ade1161ee2b82f1f1e4c09cfe8681d4b2216ee19cc146
                                            • Instruction ID: 1e6c5d05ab05970bcb1ac085b0135d62e566c6464aaf4b5d92d4af31e3d54f13
                                            • Opcode Fuzzy Hash: 752287864c4878b8373ade1161ee2b82f1f1e4c09cfe8681d4b2216ee19cc146
                                            • Instruction Fuzzy Hash: 5C318E30A08249DFCB45CBE4C9456ADBBB1FF05308F104ADAC502DB2A2E7366E05DB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F4190 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ba4102241ec8842d1810f21eed23e73fed65fd0efc17b5c60d7eb7af2e7b5062
                                            • Instruction ID: 9eca8312109105dcbaa7792f25469bcbe85168fb00d4bdb247235a505a7234fe
                                            • Opcode Fuzzy Hash: ba4102241ec8842d1810f21eed23e73fed65fd0efc17b5c60d7eb7af2e7b5062
                                            • Instruction Fuzzy Hash: D9113631B00219CBDB14EBF59C055BF7AAABF94700B504A3FD607D3281EEB1A90097A2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F21F8 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a25f70a877e68f1838038b564191a7c9a13528e97434ed3c43f062be15b8fb9b
                                            • Instruction ID: bec1a14f2cb6cf4ecdab57c0005ab57546d32993d1a52b8472237ecfe4997584
                                            • Opcode Fuzzy Hash: a25f70a877e68f1838038b564191a7c9a13528e97434ed3c43f062be15b8fb9b
                                            • Instruction Fuzzy Hash: 9621FD30E08209DFDB44DBE4C9456BDBBB1FB44304F104AAAD602D7295E776AA44DB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02470845 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.465624581.0000000002470000.00000040.00000020.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_2470000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a12a44692b5d4bc4638c0f850ddbeb6304c5db372afb5453222bf8eab432753
                                            • Instruction ID: bce51689dfd6a685444191812898e0233e801bb1acf696d9cfe8106ae8dc0061
                                            • Opcode Fuzzy Hash: 4a12a44692b5d4bc4638c0f850ddbeb6304c5db372afb5453222bf8eab432753
                                            • Instruction Fuzzy Hash: 38213D751093C08FD7038B24C850B56BFB1AF47218F1985EBD4858B6A3C33A8816DB52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F0B18 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 65ae25979e958a77a8226a86916cc4db15a5292bfd5a99a4f1a1c417356ae84b
                                            • Instruction ID: 2f4aaa98f02be16d419f7b6b03e1bfe273d1efa8668ce5d3e0a8376e7900a885
                                            • Opcode Fuzzy Hash: 65ae25979e958a77a8226a86916cc4db15a5292bfd5a99a4f1a1c417356ae84b
                                            • Instruction Fuzzy Hash: 1211A530FB811DEECB2059788C017BE62956B4664DF104F669B43EB182FA60B9009791
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0247087C Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.465624581.0000000002470000.00000040.00000020.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_2470000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5f156f42525117de58cd8fa7294b79d154883e78bdcf3e299e3c35578e38064d
                                            • Instruction ID: ae86ab54fc084d780f7d48b78969bf021d47fa4ad72b31bf188f7fe06daeff41
                                            • Opcode Fuzzy Hash: 5f156f42525117de58cd8fa7294b79d154883e78bdcf3e299e3c35578e38064d
                                            • Instruction Fuzzy Hash: 08112934205280DFD315CB24C944B66FBD1EB48708F24C99EE9590B743C37BD843CA91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F2390 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: accead2d9672dadd608bfefd4c54bb9ddb20253612815795a42fb7a55b24cf39
                                            • Instruction ID: 236234158cc7f1ac79d29a0ef8c8d63f142afeefaf01d3a80bac712f8e0b5501
                                            • Opcode Fuzzy Hash: accead2d9672dadd608bfefd4c54bb9ddb20253612815795a42fb7a55b24cf39
                                            • Instruction Fuzzy Hash: 55116D70A0929DCFC715CF68C9456AD7FB1AB05308F0049EEC242EB256EB722845EB61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F11DF Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 881cb6e5fd5b9fbc923cda2a1fe7bf351870dc6d5e9062293b047b87d7528a1a
                                            • Instruction ID: 4bf792168378d95d00680d06326b68198169715f37f0fd8f4a4c58bdf6f03b89
                                            • Opcode Fuzzy Hash: 881cb6e5fd5b9fbc923cda2a1fe7bf351870dc6d5e9062293b047b87d7528a1a
                                            • Instruction Fuzzy Hash: 0E11823030D284CFC306D7A8C8588697FF2BF8620471546EBD142CB6A7DB756C08D752
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F1209 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 24eba3e36577417d45cdc49b3311f025a3b7fc4d5c4db7c25fc67d73e4766bd9
                                            • Instruction ID: b627052d41067b9f977d52c3169e7b5130168d26fef91fc7a7bae64aea6fae9b
                                            • Opcode Fuzzy Hash: 24eba3e36577417d45cdc49b3311f025a3b7fc4d5c4db7c25fc67d73e4766bd9
                                            • Instruction Fuzzy Hash: D7019E30309284CFC305D7ACC45C8697BE6AF9620471545EBE106CB6B6DF759C089792
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 024705CF Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.465624581.0000000002470000.00000040.00000020.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_2470000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eef90c6f157358d084109e3faa5f994d5adc86ce739eb4a05649805ef85559fe
                                            • Instruction ID: b9da24a6cf0aa2df2b6a62a104cd0d40b7766ea6ad084c653e02dc4dfc504d1b
                                            • Opcode Fuzzy Hash: eef90c6f157358d084109e3faa5f994d5adc86ce739eb4a05649805ef85559fe
                                            • Instruction Fuzzy Hash: EC01D6B55497806FC7128B16EC40893FFE8DF8623070984ABEC898B612C625B948CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F1218 Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e076a4ac4ad5b319ed2386d25069a2fbd1756bbcce7d29dea30fd4c06c3abe03
                                            • Instruction ID: 02b9d8354f1dded90133cd25c17a92b1784a510250a65a7aa1e77b4fef9f0812
                                            • Opcode Fuzzy Hash: e076a4ac4ad5b319ed2386d25069a2fbd1756bbcce7d29dea30fd4c06c3abe03
                                            • Instruction Fuzzy Hash: C7018130314018CBC608E7ACD55C96977EABFC5705B2445BAE606CB7B6DF76AC089782
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F4180 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cfe8e9ac0f0f367478ae3ea31ebdc9493dfaeae0f7c86881bada1e6ac4d703e3
                                            • Instruction ID: 0d1452f54421133894c9064582ce5b4ce40c67ce1495acf5dc6abcc463b837cf
                                            • Opcode Fuzzy Hash: cfe8e9ac0f0f367478ae3ea31ebdc9493dfaeae0f7c86881bada1e6ac4d703e3
                                            • Instruction Fuzzy Hash: 8AF05C30709398CFCB1167742C094EF7F789EB61847014ABFDA07C3002F5B550188761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F0918 Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d1bbcfb2089e64432a93f37b94fa5279d58ca51bc380fae11a40e15b35549a25
                                            • Instruction ID: 521408925cf2f73823c53c27ac9533d90f4f20607480cd23333a5ed5f61ec356
                                            • Opcode Fuzzy Hash: d1bbcfb2089e64432a93f37b94fa5279d58ca51bc380fae11a40e15b35549a25
                                            • Instruction Fuzzy Hash: ABE05532F2421C9F9B104AF69D040AFB7ACA782254F008F278F07E3202F97468115292
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F0908 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2e174002cadcaf5ea4d3c825a15aff15a6a379057af58abf0ccbca0de3654277
                                            • Instruction ID: 97671d44256cbd531b4ba6ebc66bedb783361b2178fd94a66b2823f5be4774a2
                                            • Opcode Fuzzy Hash: 2e174002cadcaf5ea4d3c825a15aff15a6a379057af58abf0ccbca0de3654277
                                            • Instruction Fuzzy Hash: 73F0E230B1E3988EC7128BB54D256AF7FB45B43240B058A9BCA03EB253E9A41846D752
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02470938 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.465624581.0000000002470000.00000040.00000020.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_2470000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
                                            • Instruction ID: 578b5474bfc5589e322581207203f8a2f7ff38454c3e95d5ebbe923e28378bae
                                            • Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
                                            • Instruction Fuzzy Hash: F5F03135104645DFC316CF00D540B56FBA2FB89718F24C6ADE9590B752C337D813DA81
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 024705F6 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.465624581.0000000002470000.00000040.00000020.00020000.00000000.sdmp, Offset: 02470000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_2470000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b2be4d5ad1950851d1bc08d8f53f956fefda5085d41e9b6f0de8b849a99c319
                                            • Instruction ID: 9ebb076122419c06da15bfaa880f2bd1978df3c9b728ae0fde3843d8f3c8c959
                                            • Opcode Fuzzy Hash: 7b2be4d5ad1950851d1bc08d8f53f956fefda5085d41e9b6f0de8b849a99c319
                                            • Instruction Fuzzy Hash: 05E092766446008BD654DF0AEC41452F7D8EB84631718C07FDC0D8B700D935B504CEA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F0650 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d7806566dc7315fcbcf634ada73cf3cf36dcb375812af94f66959c52804bdacc
                                            • Instruction ID: 4013d0b00703d02ec771344fce1f340819e318ab619ca1d82a99463d9d7bb8d2
                                            • Opcode Fuzzy Hash: d7806566dc7315fcbcf634ada73cf3cf36dcb375812af94f66959c52804bdacc
                                            • Instruction Fuzzy Hash: 74E0D87244E3C09FC7074B70AE150897F30AF0331970648EBD4809F463D5297485DB11
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F016F Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca1f923f3d216d1b6b7d107cedf88e265e1508d159aac0db18e4226d0f2de8fd
                                            • Instruction ID: 337bf66f99dcea83bc45d3c75cf0ada7dd8351ebecff971d93756fbb5be5bb38
                                            • Opcode Fuzzy Hash: ca1f923f3d216d1b6b7d107cedf88e265e1508d159aac0db18e4226d0f2de8fd
                                            • Instruction Fuzzy Hash: E6D05E72611300CFCB151770A9190A83B30BF463267408EBAD4A2CB6E1EE3AC455C605
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F2D20 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf66944e25a5525fe09738d2505e44cdd551e729458ba0dc9fc98f727ce2274d
                                            • Instruction ID: 24b55642b21a7ca80c730a76b0c7c22640541b7aa7acca90d4c6d6d23ff44aa1
                                            • Opcode Fuzzy Hash: bf66944e25a5525fe09738d2505e44cdd551e729458ba0dc9fc98f727ce2274d
                                            • Instruction Fuzzy Hash: 89D0A97518D3CCAFE35313606C28BA03F305B2730AF1A08C3E288DE0E3E12918048722
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F0180 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a5bbc2726f9f4495c3e949eea86840e9a1f2fc1c4650a2666ced8288e30d027
                                            • Instruction ID: 86f69ca03e9d6c381506300f445165a63062959e995bc3ec3b3f57a80782bbe8
                                            • Opcode Fuzzy Hash: 4a5bbc2726f9f4495c3e949eea86840e9a1f2fc1c4650a2666ced8288e30d027
                                            • Instruction Fuzzy Hash: 0FD01230200304CFCB082B70E41946C33BABF8820678088BCE80687768EF3AE8A0CA40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F2D30 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e71ceccd97e652b2508b6e74ac9fd4c25089d6fd85e4a6bc2a5aa563db891311
                                            • Instruction ID: 6632c789e8f43b2b17431187089a983d61daa18be111e7238608967b04d370f2
                                            • Opcode Fuzzy Hash: e71ceccd97e652b2508b6e74ac9fd4c25089d6fd85e4a6bc2a5aa563db891311
                                            • Instruction Fuzzy Hash: 48C0483438C60CE6E5943284AC2ABB43218AB0CB0AF100E82A31E980E87597B9306056
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F0660 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cee033f5066240797b087224d26b2c8e3a21d5cdcc553ded2919bafb2aaa92a5
                                            • Instruction ID: 1a2e080d5f07090d759fef11f77690f463f6358899bf37127409f5297bede806
                                            • Opcode Fuzzy Hash: cee033f5066240797b087224d26b2c8e3a21d5cdcc553ded2919bafb2aaa92a5
                                            • Instruction Fuzzy Hash: 45C02B7018930CCEC20417709C09439722D6BC2308700CC35960254033ED367491A811
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 048F2EC0 Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000017.00000002.466255566.00000000048F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048F0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_23_2_48f0000_dhcpmon.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0af089696b4246d76c7f541cd976ac5dce1a37d1421df7a8de45e279ad5203f
                                            • Instruction ID: 91357311d3a47a4568354fed7da0c2c7cd2ac3395aa47220e95ea0629a87c5a3
                                            • Opcode Fuzzy Hash: e0af089696b4246d76c7f541cd976ac5dce1a37d1421df7a8de45e279ad5203f
                                            • Instruction Fuzzy Hash: 4CB0123020420A1B17405BB13C08A52338C5A4040539005A0DD0CC0001F505E0D02141
                                            Uniqueness

                                            Uniqueness Score: -1.00%