Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IntelCpHeciSvc.exe

Overview

General Information

Sample Name:IntelCpHeciSvc.exe
Analysis ID:877850
MD5:6b4a5a412e90721fba5170a25caefbd4
SHA1:7796314ed7b9b9472b98d6efbb93164e44877c34
SHA256:62271e4b8eeb27837dda10e85fb4b4a8f0c54b319ea06d28ffd56fab022d6f18
Tags:exe
Infos:

Detection

Nanocore, Neshta
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Neshta
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Infects executable files (exe, dll, sys, html)
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Machine Learning detection for sample
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses dynamic DNS services
Uses 32bit PE files
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • IntelCpHeciSvc.exe (PID: 5760 cmdline: C:\Users\user\Desktop\IntelCpHeciSvc.exe MD5: 6B4A5A412E90721FBA5170A25CAEFBD4)
    • IntelCpHeciSvc.exe (PID: 6824 cmdline: "C:\Users\user~1\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe" MD5: 7F00E9819E4B205654B46E0090E6763E)
  • svchost.com (PID: 7040 cmdline: "C:\Windows\svchost.com" "C:\PROGRA~1\DHCPMO~1\dhcpmon.exe" MD5: 36FD5E09C417C767A952B4609D73A54B)
    • dhcpmon.exe (PID: 4728 cmdline: C:\PROGRA~1\DHCPMO~1\dhcpmon.exe MD5: 7F00E9819E4B205654B46E0090E6763E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore
NameDescriptionAttributionBlogpost URLsLink
neshtaNeshta is a 2005 Belarusian file infector virus written in Delphi. The name of the virus comes from the Belarusian word "nesta" meaning "something."No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.neshta

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "7d265ee0-5eff-4ffb-9f35-947e4a7e", "Group": "Default", "Domain1": "", "Domain2": "googleusercontent.ddns.net", "Port": 54984, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
IntelCpHeciSvc.exeMAL_Malware_Imphash_Mar23_1Detects malware by known bad imphash or rich_pe_header_hashArnim Rupp
    IntelCpHeciSvc.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth (Nextron Systems)
    • 0xa0e7:$x1: the best. Fuck off all the rest.
    • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
    • 0xa108:$s1: Neshta
    • 0xa113:$s2: Made in Belarus.
    • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
    IntelCpHeciSvc.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    IntelCpHeciSvc.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    IntelCpHeciSvc.exeJoeSecurity_NeshtaYara detected NeshtaJoe Security
      Click to see the 5 entries

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEMAL_Malware_Imphash_Mar23_1Detects malware by known bad imphash or rich_pe_header_hashArnim Rupp
        C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEMAL_Neshta_GenericDetects Neshta malwareFlorian Roth (Nextron Systems)
        • 0xa0e7:$x1: the best. Fuck off all the rest.
        • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
        • 0xa108:$s1: Neshta
        • 0xa113:$s2: Made in Belarus.
        • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
        • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
        • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
        C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJoeSecurity_NeshtaYara detected NeshtaJoe Security
          C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEMALWARE_Win_NeshtaDetects NeshtaditekSHen
          • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
          • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
          C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exeMAL_Malware_Imphash_Mar23_1Detects malware by known bad imphash or rich_pe_header_hashArnim Rupp
            Click to see the 455 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0x42d85:$a: NanoCore
              • 0x42dde:$a: NanoCore
              • 0x42e1b:$a: NanoCore
              • 0x42e94:$a: NanoCore
              • 0x5653f:$a: NanoCore
              • 0x56554:$a: NanoCore
              • 0x56589:$a: NanoCore
              • 0x6f013:$a: NanoCore
              • 0x6f028:$a: NanoCore
              • 0x6f05d:$a: NanoCore
              • 0x42de7:$b: ClientPlugin
              • 0x42e24:$b: ClientPlugin
              • 0x43722:$b: ClientPlugin
              • 0x4372f:$b: ClientPlugin
              • 0x562fb:$b: ClientPlugin
              • 0x56316:$b: ClientPlugin
              • 0x56346:$b: ClientPlugin
              • 0x5655d:$b: ClientPlugin
              • 0x56592:$b: ClientPlugin
              • 0x6edcf:$b: ClientPlugin
              • 0x6edea:$b: ClientPlugin
              00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
              • 0x42e1b:$a1: NanoCore.ClientPluginHost
              • 0x56589:$a1: NanoCore.ClientPluginHost
              • 0x6f05d:$a1: NanoCore.ClientPluginHost
              • 0x42dde:$a2: NanoCore.ClientPlugin
              • 0x56554:$a2: NanoCore.ClientPlugin
              • 0x6f028:$a2: NanoCore.ClientPlugin
              • 0x431b2:$b1: get_BuilderSettings
              • 0x5b4cf:$b1: get_BuilderSettings
              • 0x73fa3:$b1: get_BuilderSettings
              • 0x42e69:$b4: IClientAppHost
              • 0x43223:$b6: AddHostEntry
              • 0x43292:$b7: LogClientException
              • 0x5b43e:$b7: LogClientException
              • 0x73f12:$b7: LogClientException
              • 0x43207:$b8: PipeExists
              • 0x42e56:$b9: IClientLoggingHost
              • 0x565a3:$b9: IClientLoggingHost
              • 0x6f077:$b9: IClientLoggingHost
              00000002.00000002.580407779.0000000000409000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_NeshtaYara detected NeshtaJoe Security
                00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
                • 0x22b1:$x1: NanoCore.ClientPluginHost
                • 0x22ee:$x2: IClientNetworkHost
                • 0x5e21:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
                Click to see the 30 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.IntelCpHeciSvc.exe.400000.0.unpackMAL_Malware_Imphash_Mar23_1Detects malware by known bad imphash or rich_pe_header_hashArnim Rupp
                  0.0.IntelCpHeciSvc.exe.400000.0.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth (Nextron Systems)
                  • 0xa0e7:$x1: the best. Fuck off all the rest.
                  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
                  • 0xa108:$s1: Neshta
                  • 0xa113:$s2: Made in Belarus.
                  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
                  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
                  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
                  0.0.IntelCpHeciSvc.exe.400000.0.unpackJoeSecurity_NeshtaYara detected NeshtaJoe Security
                    0.0.IntelCpHeciSvc.exe.400000.0.unpackMALWARE_Win_NeshtaDetects NeshtaditekSHen
                    • 0xa0e0:$s1: Delphi-the best. Fuck off all the rest. Neshta 1.0 Made in Belarus.
                    • 0xa1a8:$s2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
                    3.2.dhcpmon.exe.134f6ddc.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
                    • 0xd9ad:$x1: NanoCore.ClientPluginHost
                    • 0xd9da:$x2: IClientNetworkHost
                    Click to see the 53 entries

                    Sigma Signatures

                    AV Detection

                    barindex
                    Sigma detected: NanoCore
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, ProcessId: 6824, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                    E-Banking Fraud

                    barindex
                    Sigma detected: NanoCore
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, ProcessId: 6824, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: NanoCore
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, ProcessId: 6824, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                    Remote Access Functionality

                    barindex
                    Sigma detected: NanoCore
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, ProcessId: 6824, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7d265ee0-5eff-4ffb-9f35-947e4a7e", "Group": "Default", "Domain1": "", "Domain2": "googleusercontent.ddns.net", "Port": 54984, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
                    Multi AV Scanner detection for submitted file
                    Source: IntelCpHeciSvc.exeReversingLabs: Detection: 97%
                    Source: IntelCpHeciSvc.exeVirustotal: Detection: 90%Perma Link
                    Antivirus / Scanner detection for submitted sample
                    Source: IntelCpHeciSvc.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Neshta.A
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeAvira: detection malicious, Label: W32/Neshta.A
                    Multi AV Scanner detection for dropped file
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeReversingLabs: Detection: 95%
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeVirustotal: Detection: 92%Perma Link
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeReversingLabs: Detection: 97%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeReversingLabs: Detection: 97%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeReversingLabs: Detection: 95%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeReversingLabs: Detection: 97%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeReversingLabs: Detection: 97%
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeReversingLabs: Detection: 97%
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEReversingLabs: Detection: 97%
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.132\GoogleUpdateSetup.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Google\Update\Install\{3560B2D0-8C42-4C08-AD8B-F3DF39FC149C}\GoogleUpdateSetup.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEReversingLabs: Detection: 97%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEReversingLabs: Detection: 97%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEReversingLabs: Detection: 100%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEReversingLabs: Detection: 97%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEReversingLabs: Detection: 96%
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEReversingLabs: Detection: 96%
                    Yara detected Nanocore RAT
                    Source: Yara matchFile source: IntelCpHeciSvc.exe, type: SAMPLE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134f6ddc.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134fb405.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.403372406.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IntelCpHeciSvc.exe PID: 6824, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPED
                    Machine Learning detection for sample
                    Source: IntelCpHeciSvc.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\AutoIt3\Uninstall.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeJoe Sandbox ML: detected
                    Source: IntelCpHeciSvc.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeDirectory created: C:\Program Files\DHCP MonitorJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeDirectory created: C:\Program Files\DHCP Monitor\dhcpmon.exeJump to behavior
                    Source: Binary string: C:\Windows\dll\mscorlib.pdbv source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: 4e089\mscorlib.pdb source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbSpec source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp

                    Spreading

                    barindex
                    Yara detected Neshta
                    Source: Yara matchFile source: IntelCpHeciSvc.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.IntelCpHeciSvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.580407779.0000000000409000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.609863549.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
                    Infects executable files (exe, dll, sys, html)
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\Install\{3560B2D0-8C42-4C08-AD8B-F3DF39FC149C}\GoogleUpdateSetup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.132\GoogleUpdateSetup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile opened: C:\Documents and Settings\All Users\Jump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile opened: C:\Documents and Settings\All Users\Application Data\Jump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\11399\Jump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Jump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Jump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Jump to behavior

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs:
                    Source: Malware configuration extractorURLs: googleusercontent.ddns.net
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: googleusercontent.ddns.net
                    Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
                    Source: Joe Sandbox ViewIP Address: 79.134.225.25 79.134.225.25
                    Source: global trafficTCP traffic: 192.168.2.7:49701 -> 79.134.225.25:54984
                    Source: unknownDNS traffic detected: queries for: googleusercontent.ddns.net
                    Source: IntelCpHeciSvc.exe, 00000000.00000002.609912697.00000000004BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: IntelCpHeciSvc.exe, 00000000.00000003.507819138.0000000002250000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: _WinAPI_RegisterRawInputDevices.au3

                    E-Banking Fraud

                    barindex
                    Yara detected Nanocore RAT
                    Source: Yara matchFile source: IntelCpHeciSvc.exe, type: SAMPLE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134f6ddc.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134fb405.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.403372406.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IntelCpHeciSvc.exe PID: 6824, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPED

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: Detects Neshta Author: ditekSHen
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 0.0.IntelCpHeciSvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Neshta Author: ditekSHen
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 3.2.dhcpmon.exe.34cc9d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 3.2.dhcpmon.exe.34cc9d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 3.2.dhcpmon.exe.34cc9d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 1.2.IntelCpHeciSvc.exe.1b800000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 1.2.IntelCpHeciSvc.exe.1b800000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 1.2.IntelCpHeciSvc.exe.1b800000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 3.2.dhcpmon.exe.134fb405.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 3.2.dhcpmon.exe.134fb405.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 3.2.dhcpmon.exe.134fb405.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 1.2.IntelCpHeciSvc.exe.2dc6ec8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 1.2.IntelCpHeciSvc.exe.2dc6ec8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 1.2.IntelCpHeciSvc.exe.2dc6ec8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 00000003.00000002.403372406.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000003.00000002.403372406.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: 00000001.00000002.619633331.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: Process Memory Space: IntelCpHeciSvc.exe PID: 6824, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: Process Memory Space: IntelCpHeciSvc.exe PID: 6824, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: Process Memory Space: IntelCpHeciSvc.exe PID: 6824, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPEDMatched rule: Detects NanoCore Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPEDMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detects NanoCore Author: ditekSHen
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPEDMatched rule: Detects Neshta Author: ditekSHen
                    Source: IntelCpHeciSvc.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: IntelCpHeciSvc.exe, type: SAMPLEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 0.0.IntelCpHeciSvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: 0.0.IntelCpHeciSvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: 0.0.IntelCpHeciSvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 3.2.dhcpmon.exe.34cc9d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 3.2.dhcpmon.exe.34cc9d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 3.2.dhcpmon.exe.34cc9d0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 3.2.dhcpmon.exe.34cc9d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 1.2.IntelCpHeciSvc.exe.1b800000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 1.2.IntelCpHeciSvc.exe.1b800000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 1.2.IntelCpHeciSvc.exe.1b800000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 1.2.IntelCpHeciSvc.exe.1b800000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 3.2.dhcpmon.exe.134f6ddc.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 3.2.dhcpmon.exe.134fb405.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 3.2.dhcpmon.exe.134fb405.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 3.2.dhcpmon.exe.134fb405.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 3.2.dhcpmon.exe.134fb405.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 1.2.IntelCpHeciSvc.exe.2dc6ec8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 1.2.IntelCpHeciSvc.exe.2dc6ec8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 1.2.IntelCpHeciSvc.exe.2dc6ec8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 1.2.IntelCpHeciSvc.exe.2dc6ec8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 00000003.00000002.403372406.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000003.00000002.403372406.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: 00000001.00000002.619633331.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: Process Memory Space: IntelCpHeciSvc.exe PID: 6824, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: Process Memory Space: IntelCpHeciSvc.exe PID: 6824, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: Process Memory Space: IntelCpHeciSvc.exe PID: 6824, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPEDMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPEDMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, type: DROPPEDMatched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth (Nextron Systems), description = Detects suspicious unsigned GoogleUpdate.exe, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354, reference = Internal Research
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, type: DROPPEDMatched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth (Nextron Systems), description = Detects suspicious unsigned GoogleUpdate.exe, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354, reference = Internal Research
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Windows\svchost.com, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, type: DROPPEDMatched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth (Nextron Systems), description = Detects suspicious unsigned GoogleUpdate.exe, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354, reference = Internal Research
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: SUSP_Unsigned_GoogleUpdate date = 2019-08-05, author = Florian Roth (Nextron Systems), description = Detects suspicious unsigned GoogleUpdate.exe, score = 5aa84aa5c90ec34b7f7d75eb350349ae3aa5060f3ad6dd0520e851626e9f8354, reference = Internal Research
                    Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth (Nextron Systems), description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
                    Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPEDMatched rule: MAL_Malware_Imphash_Mar23_1 date = 2023-03-20, author = Arnim Rupp, description = Detects malware by known bad imphash or rich_pe_header_hash, score = 167dde6bd578cbfcc587d5853e7fc2904cda10e737ca74b31df52ba24db6e7bc, reference = https://yaraify.abuse.ch/statistics/, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, modified = 2023-03-22, hash = 866e3ea86671a62b677214f07890ddf7e8153bec56455ad083c800e6ab51be37
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPEDMatched rule: MALWARE_Win_Neshta author = ditekSHen, description = Detects Neshta
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Windows\svchost.comJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeCode function: 1_2_00007FFDC2A932881_2_00007FFDC2A93288
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeCode function: 1_2_00007FFDC2A9301D1_2_00007FFDC2A9301D
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeCode function: 1_2_00007FFDC2A9CFB91_2_00007FFDC2A9CFB9
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeCode function: 1_2_00007FFDC2A997AD1_2_00007FFDC2A997AD
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeCode function: 1_2_00007FFDC2A9CD1D1_2_00007FFDC2A9CD1D
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeCode function: 1_2_00007FFDC2A9EB581_2_00007FFDC2A9EB58
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeCode function: 1_2_00007FFDC2A932B91_2_00007FFDC2A932B9
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeCode function: 3_2_00007FFDC2A830403_2_00007FFDC2A83040
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeCode function: 3_2_00007FFDC2A832B93_2_00007FFDC2A832B9
                    Source: IntelCpHeciSvc.exe, 00000000.00000002.609608819.0000000000190000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs IntelCpHeciSvc.exe
                    Source: IntelCpHeciSvc.exe, 00000001.00000002.610283998.0000000000B89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs IntelCpHeciSvc.exe
                    Source: IntelCpHeciSvc.exe, 00000001.00000002.615813689.0000000000D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs IntelCpHeciSvc.exe
                    Source: IntelCpHeciSvc.exe, 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs IntelCpHeciSvc.exe
                    Source: IntelCpHeciSvc.exe, 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs IntelCpHeciSvc.exe
                    Source: IntelCpHeciSvc.exe, 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs IntelCpHeciSvc.exe
                    Source: IntelCpHeciSvc.exe, 00000001.00000002.619633331.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs IntelCpHeciSvc.exe
                    Source: IntelCpHeciSvc.exe, 00000001.00000002.627685119.0000000012E1F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs IntelCpHeciSvc.exe
                    Source: Joe Sandbox ViewDropped File: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe C2D2D8A74C726957A9DD578DCC0ED1C8B86B400822477B50FB2518923065E229
                    Source: IntelCpHeciSvc.exe.0.drStatic PE information: Section: .rsrc ZLIB complexity 0.9996875
                    Source: IntelCpHeciSvc.exeReversingLabs: Detection: 97%
                    Source: IntelCpHeciSvc.exeVirustotal: Detection: 90%
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile read: C:\Users\user\Desktop\IntelCpHeciSvc.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\IntelCpHeciSvc.exe C:\Users\user\Desktop\IntelCpHeciSvc.exe
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe "C:\Users\user~1\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe"
                    Source: unknownProcess created: C:\Windows\svchost.com "C:\Windows\svchost.com" "C:\PROGRA~1\DHCPMO~1\dhcpmon.exe"
                    Source: C:\Windows\svchost.comProcess created: C:\Program Files\DHCP Monitor\dhcpmon.exe C:\PROGRA~1\DHCPMO~1\dhcpmon.exe
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe "C:\Users\user~1\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe" Jump to behavior
                    Source: C:\Windows\svchost.comProcess created: C:\Program Files\DHCP Monitor\dhcpmon.exe C:\PROGRA~1\DHCPMO~1\dhcpmon.exe Jump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Users\user~1\AppData\Local\Temp\3582-490Jump to behavior
                    Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@6/118@21/1
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: IntelCpHeciSvc.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.32%
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{7d265ee0-5eff-4ffb-9f35-947e4a7e76b0}
                    Source: C:\Windows\svchost.comMutant created: \Sessions\1\BaseNamedObjects\MutexPolesskayaGlush*.* svchost.com n X . t N t h ` T 5 @
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeFile created: C:\Program Files\DHCP MonitorJump to behavior
                    Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
                    Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
                    Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeDirectory created: C:\Program Files\DHCP MonitorJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeDirectory created: C:\Program Files\DHCP Monitor\dhcpmon.exeJump to behavior
                    Source: Binary string: C:\Windows\dll\mscorlib.pdbv source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: 4e089\mscorlib.pdb source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\mscorlib.pdbSpec source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: IntelCpHeciSvc.exe, 00000001.00000002.610031860.0000000000B66000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeCode function: 1_2_00007FFDC2A9A354 push eax; retf 1_2_00007FFDC2A9A36D
                    Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
                    Source: IntelCpHeciSvc.exe.0.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

                    Persistence and Installation Behavior

                    barindex
                    Yara detected Neshta
                    Source: Yara matchFile source: IntelCpHeciSvc.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.IntelCpHeciSvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.580407779.0000000000409000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.609863549.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
                    Infects executable files (exe, dll, sys, html)
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\Install\{3560B2D0-8C42-4C08-AD8B-F3DF39FC149C}\GoogleUpdateSetup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.132\GoogleUpdateSetup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeSystem file written: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to behavior
                    Drops PE files with a suspicious file extension
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Windows\svchost.comJump to dropped file
                    Drops executable to a common third party application directory
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                    Drops executables to the windows directory (C:\Windows) and starts them
                    Source: unknownExecutable created and started: C:\Windows\svchost.com
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeFile created: C:\Program Files\DHCP Monitor\dhcpmon.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Windows\svchost.comJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Google\Update\Install\{3560B2D0-8C42-4C08-AD8B-F3DF39FC149C}\GoogleUpdateSetup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.132\GoogleUpdateSetup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile created: C:\Windows\svchost.comJump to dropped file

                    Boot Survival

                    barindex
                    Yara detected Neshta
                    Source: Yara matchFile source: IntelCpHeciSvc.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.IntelCpHeciSvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.580407779.0000000000409000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.609863549.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
                    Creates an undocumented autostart registry key
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command NULLJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DHCP MonitorJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DHCP MonitorJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeFile opened: C:\Users\user~1\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\svchost.comProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe TID: 6956Thread sleep time: -40000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe TID: 6964Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exe TID: 7148Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{3560B2D0-8C42-4C08-AD8B-F3DF39FC149C}\GoogleUpdateSetup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\misc.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.132\GoogleUpdateSetup.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Uninstall.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXEJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXEJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeWindow / User API: foregroundWindowGot 787Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Program Files\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile opened: C:\Documents and Settings\All Users\Jump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile opened: C:\Documents and Settings\All Users\Application Data\Jump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\S\11399\Jump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Jump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Jump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Jump to behavior
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.catum.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.mumum.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mum.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.mumum.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.mum.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat.mum.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.547251042.000000001B84A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum.mumum.mum
                    Source: svchost.com, 00000002.00000003.429290618.000000000220C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: mwHyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.mum
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\IntelCpHeciSvc.exeProcess created: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe "C:\Users\user~1\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe" Jump to behavior
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.359611397.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.362405323.0000000000C67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager/user/AppData/Local/Temp/3582-490/en-US/SurveillanceExClientPlugin.resources.EXE
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.396136976.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managersk\AppData\Local\Temp\3582-490\en\SurveillanceExClientPlugin.resources.DLL
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.396136976.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.484908244.0000000000C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert.ddns.net
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.482442583.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.482937315.0000000000C66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert.ddns.netb
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000002.619633331.0000000002EBC000.00000004.00000800.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000002.619633331.0000000003122000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.396136976.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.484908244.0000000000C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageruld be made because the target machine actively refused it.
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.359470257.0000000000C66000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.363648013.0000000000C66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managersk\AppData\Local\Temp\3582-490\en\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.EXE
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.360303205.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.360450418.0000000000C68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager/user/AppData/Local/Temp/3582-490/en/SurveillanceExClientPlugin.resources.EXE
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.359470257.0000000000C66000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.363648013.0000000000C66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managersk\AppData\Local\Temp\3582-490\en-US\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.DLLb
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.363648013.0000000000C66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager/user/AppData/Local/Temp/3582-490/en/SurveillanceExClientPlugin.resources.DLL8
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.362405323.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.363648013.0000000000C66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager/user/AppData/Local/Temp/3582-490/en/SurveillanceExClientPlugin.resources/SurveillanceExClientPlugin.resources.DLL
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.363648013.0000000000C66000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.482442583.0000000000C64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert.ddns.net[
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.363648013.0000000000C66000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.484908244.0000000000C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert.ddns.netz
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.360450418.0000000000C68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerindow.0.app.0.378734a
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.443147694.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.482442583.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.455171072.0000000000C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managert.ddns.net8
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.396136976.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.359470257.0000000000C66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager@w
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.359611397.0000000000C67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managersk\AppData\Local\Temp\3582-490\en\SurveillanceEx
                    Source: IntelCpHeciSvc.exe, 00000001.00000003.396136976.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.360168853.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, IntelCpHeciSvc.exe, 00000001.00000003.359470257.0000000000C66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managersk\AppData\Local\Temp\3582-490\en\SurveillanceExClientPlugin.resources\SurveillanceExClientPlugin.resources.DLL
                    Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: IntelCpHeciSvc.exe, 00000000.00000003.477943862.0000000002184000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MSASCui.exe
                    Source: IntelCpHeciSvc.exe, 00000000.00000003.477943862.0000000002184000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Neshta
                    Source: Yara matchFile source: IntelCpHeciSvc.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.IntelCpHeciSvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.580407779.0000000000409000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.609863549.0000000000409000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Windows\svchost.com, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, type: DROPPED
                    Source: Yara matchFile source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, type: DROPPED
                    Yara detected Nanocore RAT
                    Source: Yara matchFile source: IntelCpHeciSvc.exe, type: SAMPLE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134f6ddc.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134fb405.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.403372406.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IntelCpHeciSvc.exe PID: 6824, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Detected Nanocore Rat
                    Source: IntelCpHeciSvc.exe, 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: IntelCpHeciSvc.exe, 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: IntelCpHeciSvc.exe, 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
                    Source: IntelCpHeciSvc.exe, 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: IntelCpHeciSvc.exe, 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: IntelCpHeciSvc.exe, 00000001.00000002.619633331.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: IntelCpHeciSvc.exe, 00000001.00000002.619633331.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
                    Yara detected Nanocore RAT
                    Source: Yara matchFile source: IntelCpHeciSvc.exe, type: SAMPLE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134f6ddc.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.IntelCpHeciSvc.exe.1bd64629.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.IntelCpHeciSvc.exe.1bd60000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.IntelCpHeciSvc.exe.6c0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134f6ddc.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134f1fa6.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.dhcpmon.exe.134fb405.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.403372406.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: IntelCpHeciSvc.exe PID: 5760, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IntelCpHeciSvc.exe PID: 6824, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files\DHCP Monitor\dhcpmon.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation11
                    Registry Run Keys / Startup Folder                    		12
                    Process Injection                    		323
                    Masquerading                    		21
                    Input Capture                    		111
                    Security Software Discovery                    		1
                    Taint Shared Content                    		21
                    Input Capture                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                    Registry Run Keys / Startup Folder                    		1
                    Disable or Modify Tools                    		LSASS Memory2
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                    Virtualization/Sandbox Evasion                    		Security Account Manager21
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Remote Access Software                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer1
                    Non-Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets2
                    File and Directory Discovery                    		SSHKeyloggingData Transfer Size Limits21
                    Application Layer Protocol                    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Hidden Files and Directories                    		Cached Domain Credentials2
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                    Obfuscated Files or Information                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
                    Software Packing                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    IntelCpHeciSvc.exe97%ReversingLabsWin32.Virus.Neshta
                    IntelCpHeciSvc.exe90%VirustotalBrowse
                    IntelCpHeciSvc.exe100%AviraW32/Neshta.A
                    IntelCpHeciSvc.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Neshta.A
                    C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\AutoIt3\Uninstall.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Neshta.A
                    C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe100%AviraW32/Neshta.A
                    C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
                    C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\AutoIt3\Uninstall.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
                    C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe100%Joe Sandbox ML
                    C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe96%ReversingLabsWin32.Virus.Neshta
                    C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe93%VirustotalBrowse
                    C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe98%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe97%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe97%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe98%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe96%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe98%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\AutoIt3\Au3Check.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\AutoIt3\Au3Info.exe98%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe97%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe96%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe97%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe98%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\AutoIt3\Uninstall.exe97%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe100%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE97%ReversingLabsWin32.Virus.Neshta
                    C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE97%ReversingLabsWin32.Virus.Neshta

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    googleusercontent.ddns.net2%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    googleusercontent.ddns.net2%VirustotalBrowse
                    0%Avira URL Cloudsafe
                    googleusercontent.ddns.net0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    googleusercontent.ddns.net
                    		79.134.225.25
                    		truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    true
                    • Avira URL Cloud: safe
                    		low
                    googleusercontent.ddns.nettrue
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    79.134.225.25
                    		googleusercontent.ddns.netSwitzerland
                    		6775FINK-TELECOM-SERVICESCHtrue

                    General Information

                    Joe Sandbox Version:37.1.0 Beryl
                    Analysis ID:877850
                    Start date and time:2023-05-30 05:01:56 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 9m 56s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:7
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample file name:IntelCpHeciSvc.exe
                    Detection:MAL
                    Classification:mal100.spre.troj.evad.winEXE@6/118@21/1
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 96%
                    • Number of executed functions: 215
                    • Number of non-executed functions: 1
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                    • Execution Graph export aborted for target IntelCpHeciSvc.exe, PID 5760 because there are no executed function
                    • Execution Graph export aborted for target IntelCpHeciSvc.exe, PID 6824 because it is empty
                    • Execution Graph export aborted for target dhcpmon.exe, PID 4728 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    05:02:58API Interceptor684x Sleep call for process: IntelCpHeciSvc.exe modified
                    05:02:59AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files\DHCP Monitor\dhcpmon.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    79.134.225.25Price Lists.exeGet hashmaliciousRemcosBrowse
                      5YzKOPnLR6.exeGet hashmaliciousRemcos DBatLoaderBrowse
                        IgpEoWeRub.exeGet hashmaliciousRemcosBrowse
                          BX3RCBzzgf.exeGet hashmaliciousRemcosBrowse
                            GePZmBqCQ4.exeGet hashmaliciousNanocoreBrowse
                              COMMERCIAL INVOICE AND PACKING LIST 1838CTNS,Date - 19th August2021.xlsxGet hashmaliciousNanocoreBrowse
                                eIR8HT660q.exeGet hashmaliciousNanocoreBrowse
                                  EGxDSO4qfi.exeGet hashmaliciousNanocoreBrowse
                                    c3GwsoGAOg.exeGet hashmaliciousNanocoreBrowse
                                      HBW PAYMENT LIST FOR 2021,20210809.xlsxGet hashmaliciousNanocoreBrowse
                                        4d6nx7GoC3.exeGet hashmaliciousRemcosBrowse
                                          Evu57sZ6gI.exeGet hashmaliciousRemcosBrowse
                                            KYcdTLr5iU.exeGet hashmaliciousRemcosBrowse
                                              TtZQb8Wd4p.exeGet hashmaliciousBitRATBrowse
                                                KRooWcCysc.exeGet hashmaliciousUnknownBrowse
                                                  fyEcI70Ihw.exeGet hashmaliciousAzorult Clipboard HijackerBrowse
                                                    NgmQnkRqAm.exeGet hashmaliciousUnknownBrowse
                                                      xSbADSDM2M.exeGet hashmaliciousAsyncRAT AzorultBrowse
                                                        7Ip2LRL8wN.exeGet hashmaliciousUnknownBrowse
                                                          ZCI8lXL6ev.exeGet hashmaliciousBitRATBrowse

                                                            Domains

                                                            No context

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            FINK-TELECOM-SERVICESCH4mURngnyJN.exeGet hashmaliciousAveMaria, UACMeBrowse
                                                            • 79.134.225.96
                                                            bOoc2lPsx3.exeGet hashmaliciousAveMaria, UACMeBrowse
                                                            • 79.134.225.69
                                                            Westernunionslippdf.jsGet hashmaliciousUnknownBrowse
                                                            • 79.134.225.40
                                                            western_union_receipt-6c1136ae379eefabd1125356a838f43c150504aa.jsGet hashmaliciousUnknownBrowse
                                                            • 79.134.225.40
                                                            Ofac_compliance_pdf.jsGet hashmaliciousUnknownBrowse
                                                            • 79.134.225.40
                                                            PO00SMK21PDF-Files.COM.exeGet hashmaliciousAveMaria, UACMeBrowse
                                                            • 79.134.225.82
                                                            430320.imgGet hashmaliciousUnknownBrowse
                                                            • 79.134.225.84
                                                            430320.imgGet hashmaliciousUnknownBrowse
                                                            • 79.134.225.84
                                                            New Order Inquiry.exeGet hashmaliciousRemcosBrowse
                                                            • 79.134.225.23
                                                            DHL04AWB01173903102023PDF.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 79.134.225.111
                                                            b7s6hs05Oq.exeGet hashmaliciousRemcosBrowse
                                                            • 79.134.225.119
                                                            yYzwH6q2cM.exeGet hashmaliciousNanocoreBrowse
                                                            • 79.134.225.73
                                                            w2tqpR5e2N.exeGet hashmaliciousRemcosBrowse
                                                            • 79.134.225.119
                                                            12NI4sOEd1.exeGet hashmaliciousRemcosBrowse
                                                            • 79.134.225.119
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                            • 79.134.225.99
                                                            7hnidyiHcUQiC60.exeGet hashmaliciousAveMaria, UACMeBrowse
                                                            • 79.134.225.73
                                                            oA5pNPrHNx.exeGet hashmaliciousNanocoreBrowse
                                                            • 79.134.225.121
                                                            mf1Ufe2mhQ.exeGet hashmaliciousRemcosBrowse
                                                            • 79.134.225.119
                                                            QX2FR1Fs4p.exeGet hashmaliciousNjratBrowse
                                                            • 79.134.225.85
                                                            OhpeWWe8Gz.exeGet hashmaliciousAveMaria, UACMeBrowse
                                                            • 79.134.225.88

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe02624999.exeGet hashmaliciousBabadeda, NeshtaBrowse
                                                              IMG001.exeGet hashmaliciousNeshta, XmrigBrowse
                                                                Sniper.exeGet hashmaliciousNeshtaBrowse
                                                                  NjRat0.7DGoldenEditionRus.exeGet hashmaliciousNeshtaBrowse
                                                                    OXIJoiner.exeGet hashmaliciousNeshtaBrowse
                                                                      Trojan.exeGet hashmaliciousNeshtaBrowse
                                                                        IMG02.COM.exeGet hashmaliciousAveMaria, Neshta, UACMeBrowse
                                                                          SQLi_v.9.8.2.exeGet hashmaliciousNeshta, NjratBrowse
                                                                            explorer.exeGet hashmaliciousNeshta, NjratBrowse
                                                                              1ar7klNsmq.exeGet hashmaliciousNeshta, RedLineBrowse
                                                                                doc0148492023021710544 (2).exeGet hashmaliciousAgentTesla, NeshtaBrowse
                                                                                  fdHZGH5CG1.exeGet hashmaliciousBitRAT, NeshtaBrowse
                                                                                    lwbPFvP3P5.exeGet hashmaliciousNeshtaBrowse
                                                                                      HRWj0hnjJk.exeGet hashmaliciousCMLocker, NeshtaBrowse
                                                                                        NcfHiZqvOh.exeGet hashmaliciousChaos, NeshtaBrowse
                                                                                          wjYg6RYSgH.exeGet hashmaliciousChaos, NeshtaBrowse
                                                                                            24Pc2GwGkp.exeGet hashmaliciousChaos, NeshtaBrowse
                                                                                              kklXWaOf36.exeGet hashmaliciousChaos, NeshtaBrowse
                                                                                                sPhhf6qxTe.exeGet hashmaliciousChaos, NeshtaBrowse
                                                                                                  RIvacl7ecj.exeGet hashmaliciousChaos, NeshtaBrowse

                                                                                                    Created / dropped Files

                                                                                                    C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):244400
                                                                                                    Entropy (8bit):6.5189732112846555
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85COzMPySe8DnpeIPipoHbKvXWXz9LRnsaJUS+6wPXD3fxNW7gq5yGgA9SBtdv:k9OeySe8AIqpoHbnDns1ND97deKzC/y
                                                                                                    MD5:CC9086282AEB0488C6F400AFBF477D65
                                                                                                    SHA1:2086A61C1F68C0E36C0F9017C68528F2E2E866D7
                                                                                                    SHA-256:C2D2D8A74C726957A9DD578DCC0ED1C8B86B400822477B50FB2518923065E229
                                                                                                    SHA-512:564924ADF4BCE14AEB6EACAED8A2CC9D809CDBBDAC257EBA7B3AE19EA4A419619B20B67AA4675FC81558B76F210C6ED6EE3FE4E27F8A08D6782BB64D2E5E2078
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\ose.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 96%
                                                                                                    • Antivirus: Virustotal, Detection: 93%, Browse
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: 02624999.exe, Detection: malicious, Browse
                                                                                                    • Filename: IMG001.exe, Detection: malicious, Browse
                                                                                                    • Filename: Sniper.exe, Detection: malicious, Browse
                                                                                                    • Filename: NjRat0.7DGoldenEditionRus.exe, Detection: malicious, Browse
                                                                                                    • Filename: OXIJoiner.exe, Detection: malicious, Browse
                                                                                                    • Filename: Trojan.exe, Detection: malicious, Browse
                                                                                                    • Filename: IMG02.COM.exe, Detection: malicious, Browse
                                                                                                    • Filename: SQLi_v.9.8.2.exe, Detection: malicious, Browse
                                                                                                    • Filename: explorer.exe, Detection: malicious, Browse
                                                                                                    • Filename: 1ar7klNsmq.exe, Detection: malicious, Browse
                                                                                                    • Filename: doc0148492023021710544 (2).exe, Detection: malicious, Browse
                                                                                                    • Filename: fdHZGH5CG1.exe, Detection: malicious, Browse
                                                                                                    • Filename: lwbPFvP3P5.exe, Detection: malicious, Browse
                                                                                                    • Filename: HRWj0hnjJk.exe, Detection: malicious, Browse
                                                                                                    • Filename: NcfHiZqvOh.exe, Detection: malicious, Browse
                                                                                                    • Filename: wjYg6RYSgH.exe, Detection: malicious, Browse
                                                                                                    • Filename: 24Pc2GwGkp.exe, Detection: malicious, Browse
                                                                                                    • Filename: kklXWaOf36.exe, Detection: malicious, Browse
                                                                                                    • Filename: sPhhf6qxTe.exe, Detection: malicious, Browse
                                                                                                    • Filename: RIvacl7ecj.exe, Detection: malicious, Browse
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):278208
                                                                                                    Entropy (8bit):4.147085013209047
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCy0UjsWpcdVO4Mqg+aJRaCAd1uhNRBo+XrbQILFkbeumIkA39xb:sr85CyFGVO4Mqg+WDr8LRkgUA1nQZs
                                                                                                    MD5:CB74FFCED758250840C0BF149835FF35
                                                                                                    SHA1:8641E256AE71E51374B4BF24E317BDD64F3F26C8
                                                                                                    SHA-256:4EACD1204E4856AE01D64D58C93E7D45D8CA825C5A5AD1D998576A01ABFFAB8F
                                                                                                    SHA-512:47DE98059B44F7D2C98503FEF3BFADA075C0A25F3480A435B25A505CDB6D63D6969563A5BA0EA2005B6884A93EB3E7D4A293860D75921518D4FC5C33324E197E
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: ditekSHen
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: ditekSHen
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\MSOCache\All Users\{90160000-0011-0000-0000-0000000FF1CE}-C\setup.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 98%
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):180272
                                                                                                    Entropy (8bit):6.296469804776402
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CjcYN0KD42sN7UGMovkIJ1jJ7LxcUUPm8aVJD37:k9jLN0K0NsjM7Lx5rJDr
                                                                                                    MD5:DBF433D30B00C342CDDA474F1E5C3551
                                                                                                    SHA1:F69AC3300AE37D7F60D5417525C9B33D4AAF6F2F
                                                                                                    SHA-256:F4160ECB4F7213BECFCD77518CCBB6DC05F8524CC9E6BEFBFC0F5546F1E9F134
                                                                                                    SHA-512:58BAAEF31A40E1530AEAA4021F1AA42EA21DAD1A525F9044A8D25AFA188E5F36E829B3312A81216A4F5500219E09D0A9F0072F50A925E6331A332FFD746BD67E
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):340528
                                                                                                    Entropy (8bit):6.5900810039009725
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9jZAyHK0TcC+TKfVM7ZoL3czvPOU4MZY7TZoopFAdEm1t:2ZA2TcC5ko8aVoWAdEmT
                                                                                                    MD5:D2EB72B886C0E4516AD92D182472D3BE
                                                                                                    SHA1:760158C1460813FEB54EFF98E4C91D83EFBCB436
                                                                                                    SHA-256:F2A6D42CE2B2A77F3425D7259F0C3DFA0ED725C953D8D562DD0882591D2BA484
                                                                                                    SHA-512:2AF8D00EFA617937A160F2E1EC0B30411736B486835ED1368C07D6A8A3247B236C8E5D9CB7CAB8472A72294C44BDAD8BD9266661D313E12B612D902BE68384A5
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):9516592
                                                                                                    Entropy (8bit):6.938557564832647
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:98304:vDrMXEU5YPx01Dz2JhT1SbST3fX8ommgE6FWecuhd91h32zNX3CG9M:cEI2JhT1SeD/8BmgE6AkhdLh3QNd9M
                                                                                                    MD5:6469E2741DF733E5988971D908D1CB85
                                                                                                    SHA1:EBA742ED0EA23763C146377C0CF5464ADAD125D6
                                                                                                    SHA-256:1E9CCFA853279C8F8653ECD1BB17FAE5CAC2DE950E32B2EF61D24D9503184A78
                                                                                                    SHA-512:5F3D36CC3F6BFBF2687B4EB46A0332FD9915F2477565A09BDBB7879A1B88760FEDBCC8707C68B76B9CD5F830B91382D50BC3E328E86E2A66C011C2A3B6543220
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, Author: Arnim Rupp
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2612784
                                                                                                    Entropy (8bit):6.11140851325999
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:+5j15HcNnCCZjaDpiA6E4O8b8ITDnlC+u:+5j1KCC4Dt
                                                                                                    MD5:5F33B528035F5DF3D4DEE014B93925F1
                                                                                                    SHA1:95AA78A7CC348A0A675FF9E3E21912413D90D8F9
                                                                                                    SHA-256:B1FBC7B6394735885586EF3FFF94154FA426A65DA37EFD994AB495026A7D7E77
                                                                                                    SHA-512:9497DD0976E9C967169BEC3BAC5EEFA3ECE164338AB6FCFC1E734204229FD6C1C3EBE3F7917E2517675DDDD514801B6843135DCA8CE4C46AD34177C14A14488A
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):90160
                                                                                                    Entropy (8bit):6.34072613745348
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCQhUpMPub5+G92qoooZVq/LF:sr85COqSwgHVqDF
                                                                                                    MD5:FA7D79A2CF553CBFA0EB56C0DA7FBD02
                                                                                                    SHA1:1CB1B005CA1D42860C4D9CF7A5335651AF796D91
                                                                                                    SHA-256:BC90A5650BA265C27CB5881FCF46D278D77184BC73BC1E1B2D479848BBF58674
                                                                                                    SHA-512:45CA0A5A793F4AC1EF57C5A55073FAC75F22ACA8BF83423E49491EB4ED16CF0A2C109B178276433CB1E4513744EC3974256E1BBC809F1309E1E233BBDDD4C457
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):6152240
                                                                                                    Entropy (8bit):6.6006137058553
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:98304:kzWaiDMRWPaefvGQCB97iKezm9GlIsgCDlFXHhoswt7HPe8U:k+QI9CzWr3Ws6PpU
                                                                                                    MD5:B4560A6288B179EC9DCA7A98C3FD7E8E
                                                                                                    SHA1:74D52D67CF2B54947D4390419E7F7EF3A10B48E3
                                                                                                    SHA-256:8FCFC6FDDB85BEB3B6C6482437DF418692A9601A8967FA129C6870E19AA954BE
                                                                                                    SHA-512:5B6D5E587D5F63CD6EA237CBCF1BC15FC378ADDA2E39C5E2348E9BB5D20DCA8384CAF8D0260BB5584CD248BA67EE7222A8CFECAC66B18ED703FE64F63B5256C6
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, Author: Arnim Rupp
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):190512
                                                                                                    Entropy (8bit):6.576815762637232
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85Cl8+4lW4L7c3BG7THxRvyAgnz8n3Nn7b4o4kbT93Kxj2:k9h4l/Lg3ovHxAcb4oJbNKxj2
                                                                                                    MD5:EF4F52F25DA99ABE7221141D567472AC
                                                                                                    SHA1:4CAF7D4FA8D3F6D759AAD9BAABB6F1DCBCCB397E
                                                                                                    SHA-256:7F116252DBF7798B76729BB155508174EC21A2FDC9E9E176374E0CF57BA5B0AF
                                                                                                    SHA-512:09114CB1242B1B06B531EB83D229BD6415BEBAA278CF63D72FACBE32C0D34B797784239BA788721CDCFDC128E522B95365CDF5C476667E2221336D0934FF5B8F
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):140848
                                                                                                    Entropy (8bit):6.306221506765706
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC7ULU8+mFfaz1llPN5gWCP19NJ8cSLgpA3hKwYPRvGdIab:sr85C7ULomFfWlF+WCP1icSLgpG88b
                                                                                                    MD5:6B829BD673B03FB5D32E6A102BD00C54
                                                                                                    SHA1:409E57A015E4B1E2D359D2DB8EF576CC13748AFE
                                                                                                    SHA-256:C060AE6CE05CE15128F614480DF559671338E950AB8E5C6F425331B1F1C07634
                                                                                                    SHA-512:792538C3A821F0D66E5963228B672EF8AEBF95891473146E375E9BF22C171739A90B7BDD89552BF502802B22FBBA94BE6E6530406C420203F3164DD014F19AB9
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):260104
                                                                                                    Entropy (8bit):6.384747990341208
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CYl4dsOc6v2vTzwU+Pho86meq+FaSoB2+vSHr8qcVz5fzsC:k9r3PiY+Fa7BdvG1cT7
                                                                                                    MD5:4DDC609AE13A777493F3EEDA70A81D40
                                                                                                    SHA1:8957C390F9B2C136D37190E32BCCAE3AE671C80A
                                                                                                    SHA-256:16D65F2463658A72DBA205DCAA18BC3D0BAB4453E726233D68BC176E69DB0950
                                                                                                    SHA-512:9D7F90D1529CAB20078C2690BF7BFFAB5A451A41D8993781EFFE807E619DA0E7292F991DA2F0C5C131B111D028B3E6084E5648C90816E74DFB664E7F78181BC5
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 98%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):395344
                                                                                                    Entropy (8bit):6.40974219406537
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9W3n0dK2NP0RHx8D98WTBPW8fF8oABm1nKZ0RsrI:WKhHSDeWTRW8fdebmqI
                                                                                                    MD5:8C753D6448183DEA5269445738486E01
                                                                                                    SHA1:EBBBDC0022CA7487CD6294714CD3FBCB70923AF9
                                                                                                    SHA-256:473EB551101CAEAF2D18F811342E21DE323C8DD19ED21011997716871DEFE997
                                                                                                    SHA-512:4F6FDDEFC42455540448EAC0B693A4847E21B68467486376A4186776BFE137337733D3075B7B87ED7DAC532478DC9AFC63883607EC8205DF3F155FEE64C7A9BE
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 96%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):128160
                                                                                                    Entropy (8bit):6.34354996662028
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCWM2D57Kykf8d/R8Tyr5J5is7MDjrXDyO4zkm8dbHVLokF8iJTp:sr85CCQw/STyr5Jks7MvrMzkm8PL3Eo
                                                                                                    MD5:CCE8964848413B49F18A44DA9CB0A79B
                                                                                                    SHA1:0B7452100D400ACEBB1C1887542F322A92CBD7AE
                                                                                                    SHA-256:FE44CA8D5050932851AA54C23133277E66DB939501AF58E5AEB7B67EC1DDE7B5
                                                                                                    SHA-512:BF8FC270229D46A083CED30DA6637F3CA510B0CE44624A9B21EC6AACAC81666DFFD41855053A936AA9E8EA6E745A09B820B506EC7BF1173B6F1837828A35103D
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 98%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):146416
                                                                                                    Entropy (8bit):6.360093562607092
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC9S7UmwuBLAefbVH8x+FOI31EmkIY2d5J6WUghEuireklhKsikg:sr85Cs7HN9fN8sFOE1Z5Y2966ilU9xL
                                                                                                    MD5:92DC0A5B61C98AC6CA3C9E09711E0A5D
                                                                                                    SHA1:F809F50CFDFBC469561BCED921D0BAD343A0D7B4
                                                                                                    SHA-256:3E9DA97A7106122245E77F13F3F3CC96C055D732AB841EB848D03AC25401C1BC
                                                                                                    SHA-512:D9EEFB19F82E0786D9BE0DBE5E339D25473FB3A09682F40C6D190D4C320CCA5556ABB72B5D97C6B0DA4F8FAEFDC6D39AC9D0415FDF94EBCC90ECDF2E513C6A31
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):285168
                                                                                                    Entropy (8bit):6.108456726369133
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9P1UKupTu8ffMb0/GxsZfcJtqQ1UBZ6g:jK+HMYcytZh
                                                                                                    MD5:12C29DD57AA69F45DDD2E47620E0A8D9
                                                                                                    SHA1:BA297AA3FE237CA916257BC46370B360A2DB2223
                                                                                                    SHA-256:22A585C183E27B3C732028FF193733C2F9D03700A0E95E65C556B0592C43D880
                                                                                                    SHA-512:255176CD1A88DFA2AF3838769CC20DC7AD9D969344801F07B9EBB372C12CEE3F47F2DBA3559F391DEAB10650875CAD245D9724ACFA23A42B336BFA96559A5488
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):95216
                                                                                                    Entropy (8bit):6.254186124080135
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC66w8MghW4wNlu9HQIXsW/44:sr85C66w8oFlKwW//
                                                                                                    MD5:176436D406FD1AABEBAE353963B3EBCF
                                                                                                    SHA1:9FFDFDB8CC832A0C6501C4C0E85B23A0F7EFF57A
                                                                                                    SHA-256:2F947E3CA624CE7373080B4A3934E21644FB070A53FEEAAE442B15B849C2954F
                                                                                                    SHA-512:A2D1A714E0C1E5463260C64048BA8FD5064CFA06D4A43D02FC04A30748102FF5BA86D20A08E611E200DC778E2B7B3AE808DA48132A05A61AA09AC424A182A06A
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):152112
                                                                                                    Entropy (8bit):6.146727203548715
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC9Mqf1X/8cxsNsWUd09dlwxiBLSPLQ7eti/kCXBIvpnJXCFgyf:sr85C9Mqf1XEcxJMciBx7mgkC+Jt6gA
                                                                                                    MD5:7E82408281FA552ECF495EF0711EA163
                                                                                                    SHA1:33AC8ACCCDD372B80174C0F64CF619D1FE62D07D
                                                                                                    SHA-256:7746601A09FABE22EDA2203402B7060640DF699E26F16534CE4726AF65A5040C
                                                                                                    SHA-512:C1CBB428FF3FDB1A6D15CE0FC59BC5AD0B8EA86FCA232FE43DCAF94C620907B314ED82BC018137DEFD51C744106BF55D5938253D675E7CE2C2BFA6DC6079EB28
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):238776
                                                                                                    Entropy (8bit):6.175509697860494
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CrpTjGuX7GVdw3ELPU5+WYPwmsDx5T4XT3CAOA3GeiIfrV5EAVMczsELz7Vz:k9rtjGFPy8wjNADHrLEoznVz
                                                                                                    MD5:80E793F8DD96C3F7255E2A9BDA94C7A7
                                                                                                    SHA1:65BDD000FE4E96E53F6CBEDE262E2E899AB7370C
                                                                                                    SHA-256:1B813E873416521371C8CF5478BC29E7261EEB358EACCCC8AE19B073E7A9C2CA
                                                                                                    SHA-512:CE9AFCEE60708A4038FEDBC71E113A41FF0D9328737184C6E1D89863185F148CA8DAF8CEF53846391C7B6033734207D9EC4AE30B66F945ADB849CFDB0830B7FA
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):197808
                                                                                                    Entropy (8bit):6.521212414216342
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CJv5cyOZyW6RRWy4ZNC6ZraL3mU3FR5StHe+:k9h5tbXWBZw6ZraL3mh
                                                                                                    MD5:3C43C01C22830EA3151F6772436933DC
                                                                                                    SHA1:F4E5C82240FE2810D7C1490DA4C6F40FAC5DCB66
                                                                                                    SHA-256:309EF2E6F16A0797E02F5DD1B53540F2BB4BD5D5BDCD635663A2486FCE9EA1DB
                                                                                                    SHA-512:A88C3AB6D1CF9323581B84A98081D4DE5CE8DF6EEDE53131A902EFACCA7068214BDAFDB5ECEC43763EBAFE14BD79BBB6433326A07871DD8F74507DEB54DE9DCA
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 98%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):217776
                                                                                                    Entropy (8bit):6.279671702068234
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CpHThgfQMdmFDCwpcGr/yryIdXRWy4ZNC94QO9UKRGRLK:k9ZTOfZdmFDNS2aOpBZw9xKaK
                                                                                                    MD5:2D7B5026E966B9F095EFF2F6AB724367
                                                                                                    SHA1:6C0C7F22F8B40CFB1A1E14142E8C54A233AFF1A9
                                                                                                    SHA-256:8154E59A9B387176D020F6144254BE5FBD69351014AE64002F560CE744E48A5E
                                                                                                    SHA-512:8E7F5B9422A081D6AF1EBA221D413370EE42B6B5722B152DCB0BB5B7700F435359DC4484A725F2177FF6F3CA8840605EF6F78BC0A7411E333F418E84546F91CE
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1377456
                                                                                                    Entropy (8bit):7.492762950137599
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:E0RJ529+RipvL1SXk1QE1RGOTnIEQc4au9NgxnHNnGw:p89+ApwXk1QE1RzsEQPaxHNGw
                                                                                                    MD5:984FD2F9964FA1C220E32004FE066F12
                                                                                                    SHA1:94D45F3B036F6FBAD72F3F2350BF641F746725C0
                                                                                                    SHA-256:3C665DAB78B5F613D40A620957D493B2D133C3F37AF6D7ACBAD1F05CE6EF91FD
                                                                                                    SHA-512:63538A12B7B1CD06CA06EF498CC0F8813277CAD50A4F7D8B5D821D3FD93D04FBFC03918C6195825EF05B003A29C5D17FA2FACDE78ECC3060E0AC7AB0FAD792C5
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1418416
                                                                                                    Entropy (8bit):7.424737019812187
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:dBCnx+QJ529+RipvL1SXk1QE1RGOTnIEQc4au9NgxnHNn6uioL:duxw9+ApwXk1QE1RzsEQPaxHNks
                                                                                                    MD5:97155B2E1EE1B3FD0EAA1EC515B180EC
                                                                                                    SHA1:41C5258AE0E982FBC20812B3738E4C58F6F4FE41
                                                                                                    SHA-256:FECD867EB0E79F6810F4E0748AC35BA0C0C8C605000A5284FA7F6D98F3E38EAF
                                                                                                    SHA-512:F997B9E8506A20DE2A2F80DB44E212C4BAFB4421869EA308F15DE9CA1639588D6E84A0F357001A7D2D4D27125E004F535B97B25F861039420E00A66F8ABA8FA0
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 96%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):346624
                                                                                                    Entropy (8bit):7.904139028422803
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9ypXDXz7yIrozs0WuNd3ojusBdgnNW6r4F53ttuGENGFdVCLEYnPO1D7YYoSyZV:V9zGImAjJdcH4j3ttzFdVCLNSfHoSWCG
                                                                                                    MD5:4D2A6099D369E478E6B97ECA38DF66FF
                                                                                                    SHA1:F8A2EFB513BC22A550E1DAADB7765D3691795D05
                                                                                                    SHA-256:E8657C5096C1D6059D7862D842C93EE9D7C16331EFBEC02C99BECA1ACEF0E4D7
                                                                                                    SHA-512:7BC01CBF7A591AAC71439A126940D1374B6BB49A3109651EB9525026EAB22AD70558FFB8723838C33830467D1B7DBE72E76BA84925BFECD405E10B83FFDF8A45
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):160424
                                                                                                    Entropy (8bit):6.10165663615367
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85C5y0L5hQCbIJqC3CJyoDjyYB78UAwBvm5:k9LgLk1B7XBv8
                                                                                                    MD5:F1C9F5DEE11DC9DBE65CFF99DB035B96
                                                                                                    SHA1:1E0736C1890BC81AD146FCDAA0A7B3481CA02CAB
                                                                                                    SHA-256:C20A680F2DEC0F5D917ECB0F72E8609BB30B3632AFD719969A86347C06D048A2
                                                                                                    SHA-512:B0782B2D3E830250A9CC782F6F90FB82B6AF99EBDF3FFB447C9AFB20F4971F4BCF48A2A562C107C1470A2854998116D6392FE59670773781F6AF1D02D9F9A25E
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 98%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1055400
                                                                                                    Entropy (8bit):6.4225736655610195
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:dmUFhNcmLFj4svqaShRsUiTfjo5ya8j8s8:vGmxj4svqaShRibza8h8
                                                                                                    MD5:3E5A05A68FC9D6DF26689AC8A26C00FD
                                                                                                    SHA1:323355134CA0C548C774766C0D11C13E8A02FA21
                                                                                                    SHA-256:E200098DDDCB591E14643A48E8528C9A1790770D61FD4FA38D4A34C472E735DD
                                                                                                    SHA-512:54D90B22C330A6FB935BA844AAD8193DB2BD2F41360BF66CB34F3851E54F97E40EA406B9DE1C585F3115869C299D913CB1E4473AF3B9F3D7212EF386391B2684
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1298432
                                                                                                    Entropy (8bit):6.68752077269718
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:3h7dtrjrICw9XuXo7beSTdt5xbX02uvfTXfBxrj3d5E/jKQvVj4YpdjYY0td7ktW:3ftnrICSooGSTD5xbX022fjBxrj3MA
                                                                                                    MD5:4D90BC4B9810CF47BE47D6C9DEC20FEB
                                                                                                    SHA1:3A78D864C9917DA386142FBA5CA7FA1342431B79
                                                                                                    SHA-256:F7247AB5D88EED3BA0CF6EA41E55FF75873FE7A9DE5C85E6A32C620E76F9D01C
                                                                                                    SHA-512:0D5C6F60E54B2F9D8380B712959585DAB9181072A3322591417C6E44F348347DAB37CB10C5CAC7BFA5668848E6BD40F2CD0B421E8DC2F9B0C45BC414DAC574D0
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\AutoIt3\Uninstall.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):108903
                                                                                                    Entropy (8bit):6.7724162065172395
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCWCrD5iTfMEgaGySODDvRit2RPYqa5pic6jXFdL2KiMceCry:sr85CWCrDI11VDDvBPA6jXFN2MceCry
                                                                                                    MD5:2F9A43267EEBE21AC9F33B334433234D
                                                                                                    SHA1:08FEBD231E86E54CFDEBFCB03204314209397CB5
                                                                                                    SHA-256:6AADAB36A7040EDD91B13CAEC0097C643A71FB2F09940E8F9FE303E1CEDC1D0C
                                                                                                    SHA-512:C4CB3299BAE2979C22BFD2A825DD3D68B2A93234E78DB60572BA5FAECB525FD0F088703FE055E316835A3A8908D126F641CB5DB830EF7D21387373E3CB5B52C6
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\AutoIt3\Uninstall.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):464936
                                                                                                    Entropy (8bit):6.360683839248502
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9DQcslnC3znG+xfbMgyGn7LiJdKkAtyKuskePvX2Zp7DmuXYvr6ys/pJYCf:PlnCxjMyn72/KkAtydem3nM6BHYo
                                                                                                    MD5:6A02DFAEE140217151427D7301E61289
                                                                                                    SHA1:793B86D11BD13C12BB8D60E01F36A21A3CE2F728
                                                                                                    SHA-256:7F474C8C7643AB7A5AA9CDB27A93ECB7CA3F23ED8AF916CB7FC5905F572CF732
                                                                                                    SHA-512:A4E21A104CD9C772799AA84632EE821A0B0CF859721F6C3482BC532221DFFFDA8186888BBB9B52391E3E9F472631F3C5320A7DD4976ED49674F8BF322E4A9DA6
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: ditekSHen
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: ditekSHen
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):125456
                                                                                                    Entropy (8bit):6.243532552718445
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCV66hOAsu3ocbxghFd9fP4LXRxQyEvzDmxvuLX+:sr85CkkOAsu3v44dOyEv/mxmLO
                                                                                                    MD5:72B958CB9CDCD8F788037A5E9F226F91
                                                                                                    SHA1:F0452F038280AF6E832B89D53228499806B84774
                                                                                                    SHA-256:650B8F0A205CE0C5A8EFC661F8105BC2C6AE5371DE6ACC482E6858B95531BF81
                                                                                                    SHA-512:1CB545931288E5D4C19BF1D710807B7ED661247EDF33CC63AFE4149A687FD0AA9D120A953D8237BAEFC293E55A532A6FFAC0DEE182CA7F9245FE1D0A3BC05DF3
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):472912
                                                                                                    Entropy (8bit):6.5565215741761556
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:wnFwHDxPuHqaTWI/jFucTsoY7BN3Hti0jKWo:wnFwHGiILFucTO7BN3H00jKWo
                                                                                                    MD5:D18639427E57710E5DFF1D1CC15993EE
                                                                                                    SHA1:1F34D641139878D1C07511448D6A4F7B5D751DFB
                                                                                                    SHA-256:F03903002FE82F426A6F63BF70E75CE389023F061575707AF553B78106F1948E
                                                                                                    SHA-512:38740928C49154A960878F12E330C65475A65EA48A83516D16004F1E67196CC96D2BF31D9B669FA59DC3F0E14C872F90EE2AA477A21AD80B7D57E1A852C02713
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1001296
                                                                                                    Entropy (8bit):6.464835172745815
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:75UFBBhPT+1Gl+B66TmUC5bx0HnBJIxCN:GrhQwW5Ts5KJAg
                                                                                                    MD5:73AF30D83FD52846075C21A68959FE56
                                                                                                    SHA1:D41B47F559B859045111DA74E8EFD20EC2B70330
                                                                                                    SHA-256:6C6C71C1DCD90546442085B853450922DFA0E71747D3DB8BD984D8918FA4905A
                                                                                                    SHA-512:CEC40FD370886A5A76FFDF0595B818523573ACFE9D3825413F0EDC3E3700D7D1EC6F0ECE465EA5A885556821E50A7C69AA69F0F367B13DCEF3306E0E5101433F
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):686928
                                                                                                    Entropy (8bit):6.657086665651869
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:yxy7dFtEB12w2w6Ahk7Re42UZuy/XlLTsiW0h73OZ+PY7wGPXiCR1bC:N7ftE2y6HFX2UAy/XlLTHW0YwPYEGPXw
                                                                                                    MD5:7A9EC6152E71BEF30EED406A5784031C
                                                                                                    SHA1:0A3D8F9EFFB6F9C0C3B098F234555E36A2A1A279
                                                                                                    SHA-256:E42D06BBE346703D9AC8F28A98AA1D334E088785EBF43203AC51B4BF3881AACE
                                                                                                    SHA-512:5118CC0BD11884DE1DB4380646376F52DC2E6874B9AAAAEDED4F69566BECFDAF6D7B48D6EF98E70FBAC0C32B0668D5392E74C9A8F3EBF0A0F31E4A63D2109051
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):233848
                                                                                                    Entropy (8bit):6.74977503731175
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85C/qeRM5xzgglg8S7UnatoTBf3bmjZqMNT2rIWDTWos+tGEkBbq6D3Bdsb:k9/Rezdlg8S7watoTB2vi9jspTq6Ndsb
                                                                                                    MD5:4F29AC6A10F97FB23E73FC4EB09B299E
                                                                                                    SHA1:4998AB461B66DF8CF435D435AA47BF47BC8DB9E5
                                                                                                    SHA-256:1BF2384B3E4A9F4A95B7FB0B4D03F36A658936F4DE4ED569E137D16069730EDD
                                                                                                    SHA-512:828B210C801F90A6CD1613A74B1020B5A2A447F0AEEFDD8F10AF72EACCE59C32CF46DEE82A335C3A0F77CF62EF02E8E395B4AC401DA010F273CA53EA78583E96
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: ditekSHen
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):233848
                                                                                                    Entropy (8bit):6.753407460087031
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85C/qgC18pVwUM0NldXnSsohU4TBfHqKjZqMN6wVzQQS0o+iwdnP6ngIs2:k9/hCYwUJzdXnSpU4TBdvD2QS0eg6Zs2
                                                                                                    MD5:7664868B3587C8A92E797C9B6A948C4A
                                                                                                    SHA1:AC2CEFF0C1B898A3A3B8CDC524BDE3B2C2401E59
                                                                                                    SHA-256:EA7B9E779DF726F99906E96C1A65804C60840C31D240FA65B164CBE5CFECF0A5
                                                                                                    SHA-512:5D3F983D244C114FBCA962E808DC773D5D3C5E05453363A88238BE54ADDBE35068229A545364412C5B48BEFFCDFD0058F66BAE75DF6C30E92F3CA7DE3B1FAC5A
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: ditekSHen
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaw.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):341880
                                                                                                    Entropy (8bit):6.494451078546094
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9//edYNAMeo/0/3/A//FE/FzdXoktv/Pu29mYx:GGmNAMeo/0/OtE/F1tvtFx
                                                                                                    MD5:7E0FECA66B63B24125A4382E4BCCF851
                                                                                                    SHA1:867EE4E9CA574FC1872473AA7D81650C242C63E5
                                                                                                    SHA-256:18DA8ACE9C2524D10A4FBC65C1BD0CF842C81974947139094A6B6B3391C0249E
                                                                                                    SHA-512:65A2011D14979E443E3F62DF858675EB80D49FB42B13E50F0D4125A769D98A6A44E70834D5C3E99911C0D10A0364B54820F6F4AEB60C1382B32EC01978935452
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: ditekSHen
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\javaws.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2628816
                                                                                                    Entropy (8bit):2.679593361098342
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:iQFsiEt5LODS6RcvRtd+sGum6QHArfePms//bV5cOXPMiCSmRZQkEKFF:XFA5LODZWvT4sGz6QHVN3bcOhfmRqkf
                                                                                                    MD5:9C0D6AC2E466E889E3942F657F2A9722
                                                                                                    SHA1:5A1FAB3A4D953930EE67B31306CE71C94F3DCDF3
                                                                                                    SHA-256:E1DB281AB5D39731EB3A7C44B27928E21FC8D89F2D2B99D8B6D9B6187D412ED5
                                                                                                    SHA-512:50FE3D1BD42615388B7B2395AC645DCF44AC8E0C0B8EE9C5A8C57A1B1E089757B4EDCC4A60E70B7BF136E91022CA474F5E3D3CF2E8724B516DF518F738D5D0BE
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):225512
                                                                                                    Entropy (8bit):6.411549382704613
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85C8gYp/OAWLTIKE4Vw2v6HXPoYvtT1mxho19K/rEs59s6i/XtXv7+8rKca:k98gYp2ARNQYm+1WllgXtj+eC
                                                                                                    MD5:B45E235D4600D4A75C90D037D9D5C208
                                                                                                    SHA1:994614F1A7F8D7E7423A46781FDB72AD6469835C
                                                                                                    SHA-256:F38C4B7F5604C3D047A1DFA76A0987C6C13FEDD97155DC5633DE38269787AB49
                                                                                                    SHA-512:86050D6F26FFA4999BE405A6F2FD7050436E3C8AA8507A37DDD1BA84F731D6DE547E640C121382AEDB6E6F9D81FD0DE4B34A6A49D1EA44607DA078E705916B97
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):5434136
                                                                                                    Entropy (8bit):6.306403224869207
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:98304:Hd4rAkEDQUKrXhluiA7i/9kl0DQW/dq9s2/v5OC5Ca/oz6g1PbxL:rkz/Z/9k6DQW/dq9syBB8L
                                                                                                    MD5:241A771AD01F3E181B8930F36DBDCE45
                                                                                                    SHA1:942B1601C5985DDD2DF5E96BBE1993318E17F382
                                                                                                    SHA-256:4C586D3F7AD0945D75EC3F51F46431483E118A6CD811A7D1EF35126832936147
                                                                                                    SHA-512:551A9D772DC1E03EBD66AD320659DE515B7F091A3D157FB6CBE2AFCA74A0E553D3AECB7EEDEC6487E6C2600BB792ABDD35F39C56A3703A4924E983E14F7AB163
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, Author: Arnim Rupp
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CMigrate.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):148832
                                                                                                    Entropy (8bit):6.402312332234301
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CVrGOTPVJb+dW0wnbP1EfEDVYpqeyDY:k90FdW0wbcEDm/yM
                                                                                                    MD5:8D5273AB369F21CE9AE8DE3617F1543C
                                                                                                    SHA1:2AEC6177549D024BCB3B6F4DA45E31B41F4512C4
                                                                                                    SHA-256:B45246D66ADDD0242CE68F6188DC73A7B1C6A16B6A316E80494092E28346F8AA
                                                                                                    SHA-512:72FD33191470348A2D61CBBA4726374052D0CFAE3596049E37A2B9ABAD2B02902AAFCD059A8F3887C49E3DD25A5AFCB87EA4070FD2579E3D9A162B6A079420E2
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\CSISYNCCLIENT.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 96%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):325808
                                                                                                    Entropy (8bit):5.5226016140596625
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9ULqmJHCJMgenwBOPhloudkpkSuULGD5NlKrGS2g1aQ1p:WmJHCJMgf0PhPdkCzU6D3ZSh0Q1p
                                                                                                    MD5:5136D87E5AF05DCA5F150225AFACB2B6
                                                                                                    SHA1:04EEC23E8B08E97BD8106EC4F0EB43C1DC6D661B
                                                                                                    SHA-256:F91DD439569B16AB39E348DC0CA7FFF74E6196E53E32D6260AEE5BBE0635C6FF
                                                                                                    SHA-512:FFA6E93116FB8CE90B83A3227DC8D7E448822DDB8EF4DE862448D3521799D4718327DCAE3732D91E6D251F8A1C48467C27A07FF21117A5E6C027F0B2B319C1A8
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\FLTLDR.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):366288
                                                                                                    Entropy (8bit):6.48929995153674
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9gV7oJKtEsCZQ9BMHmD1tYFLqY/W5R02qO7VKCy7KIxanso:MotEsCa9+aYFLq3ny7KYo
                                                                                                    MD5:679EF460120D3C4038D12BE232F20CDD
                                                                                                    SHA1:C4CE1629658BC812383107DA694BBC0C49BC5E9B
                                                                                                    SHA-256:6AD6C4BFB89F876BFAA332917FAB8DB2572A6A785AAD54C2D85A7BA9FAAA6B12
                                                                                                    SHA-512:7B59B45B27A958291844C1455D89DD62A25CE263E8A5BECEF21477A39A02A213506D7CA75CB6FE804A8AC47ACC90A0A3395FFCA0FC431803CD1808425C9A679F
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\LICLUA.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):657064
                                                                                                    Entropy (8bit):3.618030662317966
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCGaCAd1uhNRN04gi0o0AdA/AZQJSShpuL4Y4YkvJt:sr85CGd04gi0ouuL4Ytkv
                                                                                                    MD5:A16A6EA47B7C467547C4A70ED1410B69
                                                                                                    SHA1:A09526746160F238704443E171A171BEF915E104
                                                                                                    SHA-256:4C3903394275D2888CF5A7B1252A3DC4D9E1ECE80C29EE713D2D19EDFF824233
                                                                                                    SHA-512:9C24B6937CAB50CF941C5FDD0CB03502A4D82A2C77B31B061355EB162A599B5F8FA7CA3EA06E53063D3D359CD45DDE4F9EC506F41CAD1A4448B35BAA4A8E7AF5
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOICONS.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):222904
                                                                                                    Entropy (8bit):3.461165007131812
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCt1uhNROY+WxQ0lEJRaCA:sr85C3vWtI
                                                                                                    MD5:4C6E4AE5E8D23BCFD573180D5D0C1CDD
                                                                                                    SHA1:83F2EDB37645A354E99D6EFE2656E1E194D4B88C
                                                                                                    SHA-256:4271DA8BA28C34CB0D2577201C2BEBB00472BCBEE5CF27687AA3F1F2E3539D6D
                                                                                                    SHA-512:9FABF050FB69C6DC2B0B2633BBB4BD406A23EF94EE73033A2801441EB00502671D2178E2E7BEDB2195E10B3CE701A4ED32D332E7476BE43C4999E75ABEFBDCB9
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOSQM.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):262344
                                                                                                    Entropy (8bit):4.108554712470892
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCzRaCAd1uhNR0Ga1vRdbwzkMrdYJnRQV6J4tuw62roH5lL1u:sr85Ctk9v/0xrsRQIouwjQlL
                                                                                                    MD5:B9BB6908286044951C1219CB6D7ED627
                                                                                                    SHA1:FF716B938C49D21C28C14A6FEC573153354EDCF1
                                                                                                    SHA-256:1A4DE2B1BDCA2768D92B817B4E79CC884564CA8835C42F4EBACC186620EE576F
                                                                                                    SHA-512:DAAA7A6FD5B4064BF38F74D9E4992AC4D2CD58EA946587D7F14433830CC5A3663C1F93F47F5620FE0A52AA664B6CFC49B3690C86F43C418A9A10E61FE6EB9B32
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\MSOXMLED.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):166104
                                                                                                    Entropy (8bit):6.252331629815344
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CWenbUaOU1IcODjnhyAf98rN7btBAxm2Z/ps/rz:k9fIUjEwEGDAxm2Z/m/rz
                                                                                                    MD5:5AA9BF8620B1540F8696BF4158B49F36
                                                                                                    SHA1:B6C53F173A497567AEA6D745048B45C2CE46F63C
                                                                                                    SHA-256:9A55AD87E0E8A200C7B5A6E4AF520B17E06781692CB96527AA3332CF943AA1A5
                                                                                                    SHA-512:EFC589FD4343761B3A51154734AE41A6C04513731573B84C01AF50B7365292888CDAA0DD3E040093A6C1E5CA73B193059292F837708337B629D379070CC99561
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\OLicenseHeartbeat.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):244944
                                                                                                    Entropy (8bit):6.5104370398950335
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CZRqkGhC5v+1Z04e4qOPBRzIN/yvdyVCKtUoBx9KrKeQk1bUpyNB6zLy79bL:k93qkGhCM1fqOPHkN/ylyU2mPUOFL
                                                                                                    MD5:CAD74221846597826D04754CDB9DBA4B
                                                                                                    SHA1:9824F68AB0005B1C3B14415085A20AAFCB0F478E
                                                                                                    SHA-256:9DDF22F1422C16EE910A9A7F3588C9A8E25B1596A548B8D523D828FE3F2BAC7D
                                                                                                    SHA-512:9D41DE4C02B9CFDCB126EC0ECD3A3091A2AC80D62D91B067F49FDADC5FDB7FAD344A3C0B32BF6C4661097E5D5CC593FE6AE8F89982111902F4A248CC0FB5048F
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Oarpmany.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):589976
                                                                                                    Entropy (8bit):5.336385030490749
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9D4aeA+WEnGH1NCmWR5FJYUJupxFdYqIVz:2eLWEnONCmC5Vuzrb6z
                                                                                                    MD5:EF2793ABFD4E043F63B1CA873F237C2D
                                                                                                    SHA1:FF5457BD00F86D79F819F00678FD8AC30F367388
                                                                                                    SHA-256:16C5983B4C61A079E59B24462BE18FBF0E63857FA69F793DE36E74F9BB7A2A82
                                                                                                    SHA-512:5C4D478A4E543E038F9AD52E6B34F9B01B0284C8E634E61014B15E41D4EC49304A0C9308E379867D0FD944B38942203A5D2FF53B3D327B70604093752E421499
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\ODeploy.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):673304
                                                                                                    Entropy (8bit):5.441697637615724
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9aua5qijR4ZTvC7yPA1ikaY1xA1VurX6hOI0MjEVQTzfKfle6IZuy7:HvqijR4g7h1ikByX/OVE8fle6IZuy7
                                                                                                    MD5:BCFBF50E51399487EB4DBE3EE4E19C31
                                                                                                    SHA1:2E765B3801F6FA24C237674BE5F474593FC51D8B
                                                                                                    SHA-256:CF2CC5B6DF6A8FF7FC0AF8AC395106C2E486297B14C74275229FB6E242A2CF57
                                                                                                    SHA-512:BB167373C6CA5E53018AC2A86116439BF387A4FA4DF1FC6B38A42B55B759CAB1F34CACCA2D0A4400D409A15FD0D2167FB8F410459708E546CC934C6FDDB85B34
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: ditekSHen
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: ditekSHen
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\OFFICE16\Office Setup Controller\Setup.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):255168
                                                                                                    Entropy (8bit):6.581428824084993
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85C6zcMqiGhz/fA96A9L45vxfq4qzqD27eIyUX3cM74E5S4uNUx9y1RXMUaGY:k96ctXc9L4PCqCz10/Dz1RXMTD
                                                                                                    MD5:5E6B5C0D0846BB3838F629F211229109
                                                                                                    SHA1:B340BBA8A255C1EC362F2BB10C69E71F785462BF
                                                                                                    SHA-256:BD4835C66C6A39D9E15714E3CBDD1DA980B6C81F8F6B5DF3325893CE03E8261A
                                                                                                    SHA-512:7B5353F8B5A551797669546102350B7743C0356BB84E0D14CC513E7DC37F336CB1B498C0AFD8C6D5BF3664EF37852EB46DA27C614CA7F06B908B30408453238C
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 98%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):124136
                                                                                                    Entropy (8bit):6.283326852264287
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CqPo10JOSdBlrbr1Pg9uCRFRzsxeZ:k9qg1MOcxPmRFJs0Z
                                                                                                    MD5:52A62AAF5FB24EB66FC6580781659B53
                                                                                                    SHA1:F905E2B869462A12A3D57088B2E9F8AF1A822134
                                                                                                    SHA-256:64828A7C1BFD29B45B595E62AFCEF39D808CD286A1C31A7524E2BC7D52B64F2D
                                                                                                    SHA-512:4FF9DDE47D88D2A9AF53B499CB3E5F6E30CAE3A7D6A2370A3AEF95C9000B5821D6F0813363CACDE5B8077EEB718FF8C9C5751F6CE11B6F89C172FA63FA6590EF
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):348344
                                                                                                    Entropy (8bit):6.672872121878769
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9NADu79SiirlTeeGyfgCA/j6FyAO/Hsumwc4+Qx+jeZAVlpTpPXQ:QAvroeGyfgMy1Hs/wtx+je6VlpTp4
                                                                                                    MD5:D100DD451243D803BEF2A6C40B0020C6
                                                                                                    SHA1:A69D07CB6149AB858DA10C4AA9925309F6EEC20B
                                                                                                    SHA-256:AC302270468E2CF49F96CA3EEAB7D5CD20782A9CB92E8553D3530643FADD47E5
                                                                                                    SHA-512:5BE451023E11185B1F3B16FBC950F51EACD2CFDDCBD2957EF8E2F0BD645270E638C3F875C9580418CCE05631940D6127BC7CD6D64B9F9481BED6A2CD9F2834B6
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: SUSP_Unsigned_GoogleUpdate, Description: Detects suspicious unsigned GoogleUpdate.exe, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):447160
                                                                                                    Entropy (8bit):6.42308894643679
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:WjPOEv2zUM2WJoROZApostp4oeTYvwDz8Ox+aCC:Wbn9ostp4Tcvwf8OxdJ
                                                                                                    MD5:BD676ABC8497C82307D92843F54E85B9
                                                                                                    SHA1:8B3EFBF8B25647AF14F57F95502E56AEDBDACB69
                                                                                                    SHA-256:F9F636B05C5C01CCF4BA39B35EA15FD6F5C51E6134BF27486042167337288AE1
                                                                                                    SHA-512:BB62F6201891A9EB77F2AA71F860E2647AE077E3CEE91A1F3CFC256C39EF76A4FD00029558BD709A3C987BEE754A1CB0EA0D5441996E38E5650537F61CA23095
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: SUSP_Unsigned_GoogleUpdate, Description: Detects suspicious unsigned GoogleUpdate.exe, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleCrashHandler64.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):210104
                                                                                                    Entropy (8bit):6.199615239624141
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85C8aKavT/DvbEvK9aobNI2B+hlsfni3YGByThXKBZkZN4GhQ2eRZh+/bJSeoz:k98aK2h9H/B+rwYtiPC
                                                                                                    MD5:E2F2AA47EC5A4AAE63FBA8AD40691B9C
                                                                                                    SHA1:09C83FC458BF3AFAE15756D18681C34141870A22
                                                                                                    SHA-256:5691228B9C00336C0157D99C799DBF03089E6E22EA51395B81DB9F93E8E6C9E6
                                                                                                    SHA-512:5803FB556A8C941C026876F485421A1EFD9DF79AA5DBEEC2F19FD4AD338EAF3A682BC5783951FC7B9350AF7C6CFDE2604D374389A4BE23400F875ACC57B94B38
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: SUSP_Unsigned_GoogleUpdate, Description: Detects suspicious unsigned GoogleUpdate.exe, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdate.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):156344
                                                                                                    Entropy (8bit):6.583491683345372
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CV4vzT+PXZpsB+KR+EOQC8m9WMxJ7Rfp8K172YPrp:k9zpsB+w9t1MH7cCxPd
                                                                                                    MD5:23DACF6F9722D3C34B89656E9D8CC7D0
                                                                                                    SHA1:C82795EC367614E155F3FB8353AA6E035B4210BF
                                                                                                    SHA-256:31224B24C740F5840570A0A9FBCD77B920081021C48EBCA50C0639A9F26E18CB
                                                                                                    SHA-512:9E6599301F7A47F589B3CB19BAD6516B0ABF220F6EAEEE27ABA4AB88A45E7832F529D35217C477309E9DC0849F4B620BA0AF0B242659F9E4F841524C54C14515
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateBroker.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):233656
                                                                                                    Entropy (8bit):6.293668636600837
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CvySAcz4hp9wuzkHUYqWEybmoY46+WbOURHqDVC8O1uZXVS38yXLiQ:k9vySAcz4hUmA0ohMv2GSXVS31GQ
                                                                                                    MD5:BE1CC21C0A86B4978B9437E16DE1A420
                                                                                                    SHA1:C19C4DD66B04C9BBB14237F352C9D94D4356D31A
                                                                                                    SHA-256:2A33F58E2E6D8A1ED1D7DD65035CE467C4C1DB9003EA9A8F05455B19408244E7
                                                                                                    SHA-512:BFF4EC3B7D070009DFC7CA9A89DE1320242FE9445AA69631FCB79745556E76A2EA59CF07F2F64F621A57D46B95D972A6BB568FB6CE9895D9859ECC1B07E7CCC6
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateComRegisterShell64.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):268984
                                                                                                    Entropy (8bit):6.685634979954
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9zXqsTk90qC1AOb7Yswf1Px+efD83zgiC4p:WXqsTkiR7zwRx+AD83ciD
                                                                                                    MD5:CE3093F256BDDD46F1825DB8E5FA7F06
                                                                                                    SHA1:B61613A8BE5BF1A849379378F8BAB64A8F723CE9
                                                                                                    SHA-256:241CC17CDECEEAB568EF77A6E0A1A617740E19D1F37B61155ABF3BF420CF3205
                                                                                                    SHA-512:BD5F002AB1EF384F212ED23BDF5C17FB9920D2CE9CC82D1BBE6E43ACFBF3B062F1BCB725BC6E05AC4D5AFD7731E8B7B74AE416ED9C2ECC7484E147B2C7C44755
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: SUSP_Unsigned_GoogleUpdate, Description: Detects suspicious unsigned GoogleUpdate.exe, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateCore.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):156344
                                                                                                    Entropy (8bit):6.583159899761365
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CZ4qR8v7ZksB+KRdqkC8/BtER5AhC48S1m2YPrZ:k9cksB+wYktEXAe6QPt
                                                                                                    MD5:B24BCA7D2B19E941E63EBDD573781A21
                                                                                                    SHA1:D646BED25DFB3B3B452334A761E739F23EFDB572
                                                                                                    SHA-256:26D0C08FADE4FE2FA81B5A250CBBB23DBA5F637160CE11E50B13DA4932DBC769
                                                                                                    SHA-512:D48432AB5DAC45F9DFDFFE84B619695F78D7A3377C34D9F6649E94818B4469208A11E8E795626D161B22430776C5B80A6BFBAEBB8398F1A3DAE74AA30040D5DE
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateOnDemand.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1456072
                                                                                                    Entropy (8bit):7.903360864050763
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:wKH/B1FBgDXZNFfZoWe0KVIC9ClKa5IrykTHhQ5NoRyftZZriXWzr6pfKuItwy:wK51rgXteP3Vz9oI2mhoNosVDP+fXq
                                                                                                    MD5:9B1499751A0BD2028744637F1D3943C6
                                                                                                    SHA1:606351B3371F637F8E52E7A67F0088AF4D9CAEBA
                                                                                                    SHA-256:EC1DB30D9847A367AB8D76842674CEA2071989D41FD655F8687E126BB338F1FB
                                                                                                    SHA-512:F1C120969BD7A8AE8A1130DB6C0A5CA771ED9DBC3D852B7D0CC094813CAFC8100BA20B16C3169A27AFF7AF34BDE7A77C8AF6C434EEACAF449D42D6A5FE5FE8F3
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Google\Update\1.3.36.132\GoogleUpdateSetup.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.132\GoogleUpdateSetup.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1456072
                                                                                                    Entropy (8bit):7.903360864050763
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:wKH/B1FBgDXZNFfZoWe0KVIC9ClKa5IrykTHhQ5NoRyftZZriXWzr6pfKuItwy:wK51rgXteP3Vz9oI2mhoNosVDP+fXq
                                                                                                    MD5:9B1499751A0BD2028744637F1D3943C6
                                                                                                    SHA1:606351B3371F637F8E52E7A67F0088AF4D9CAEBA
                                                                                                    SHA-256:EC1DB30D9847A367AB8D76842674CEA2071989D41FD655F8687E126BB338F1FB
                                                                                                    SHA-512:F1C120969BD7A8AE8A1130DB6C0A5CA771ED9DBC3D852B7D0CC094813CAFC8100BA20B16C3169A27AFF7AF34BDE7A77C8AF6C434EEACAF449D42D6A5FE5FE8F3
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Google\Update\Install\{3560B2D0-8C42-4C08-AD8B-F3DF39FC149C}\GoogleUpdateSetup.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1456072
                                                                                                    Entropy (8bit):7.903360864050763
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:wKH/B1FBgDXZNFfZoWe0KVIC9ClKa5IrykTHhQ5NoRyftZZriXWzr6pfKuItwy:wK51rgXteP3Vz9oI2mhoNosVDP+fXq
                                                                                                    MD5:9B1499751A0BD2028744637F1D3943C6
                                                                                                    SHA1:606351B3371F637F8E52E7A67F0088AF4D9CAEBA
                                                                                                    SHA-256:EC1DB30D9847A367AB8D76842674CEA2071989D41FD655F8687E126BB338F1FB
                                                                                                    SHA-512:F1C120969BD7A8AE8A1130DB6C0A5CA771ED9DBC3D852B7D0CC094813CAFC8100BA20B16C3169A27AFF7AF34BDE7A77C8AF6C434EEACAF449D42D6A5FE5FE8F3
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):233848
                                                                                                    Entropy (8bit):6.74977503731175
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85C/qeRM5xzgglg8S7UnatoTBf3bmjZqMNT2rIWDTWos+tGEkBbq6D3Bdsb:k9/Rezdlg8S7watoTB2vi9jspTq6Ndsb
                                                                                                    MD5:4F29AC6A10F97FB23E73FC4EB09B299E
                                                                                                    SHA1:4998AB461B66DF8CF435D435AA47BF47BC8DB9E5
                                                                                                    SHA-256:1BF2384B3E4A9F4A95B7FB0B4D03F36A658936F4DE4ED569E137D16069730EDD
                                                                                                    SHA-512:828B210C801F90A6CD1613A74B1020B5A2A447F0AEEFDD8F10AF72EACCE59C32CF46DEE82A335C3A0F77CF62EF02E8E395B4AC401DA010F273CA53EA78583E96
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):116088
                                                                                                    Entropy (8bit):6.487271937371817
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC/rmKB7qjh3rmKPNdTB63hvdmG2haDkdWIJ7OkUVS:sr85C/qJjZqMNdl2dE+bgOkIS
                                                                                                    MD5:0BD4255ABD473ED8E64592BF071499FF
                                                                                                    SHA1:52B8A7784CF87B3DF00BBD47335F74726653C398
                                                                                                    SHA-256:CB944C36D2BD9E4C2948B738C6983E1F280DC2F01E7268F6CCFE3E812F4533D7
                                                                                                    SHA-512:A360FD171158346BF65A4BAF15AA9ABC08C2AFE748C5A7007CDB8A12FBDFF54111688F68C5E91113AF9F730099E752E4C4C5C35A3BC43DDF324755D09E9C66C3
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javacpl.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):233848
                                                                                                    Entropy (8bit):6.753407460087031
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85C/qgC18pVwUM0NldXnSsohU4TBfHqKjZqMN6wVzQQS0o+iwdnP6ngIs2:k9/hCYwUJzdXnSpU4TBdvD2QS0eg6Zs2
                                                                                                    MD5:7664868B3587C8A92E797C9B6A948C4A
                                                                                                    SHA1:AC2CEFF0C1B898A3A3B8CDC524BDE3B2C2401E59
                                                                                                    SHA-256:EA7B9E779DF726F99906E96C1A65804C60840C31D240FA65B164CBE5CFECF0A5
                                                                                                    SHA-512:5D3F983D244C114FBCA962E808DC773D5D3C5E05453363A88238BE54ADDBE35068229A545364412C5B48BEFFCDFD0058F66BAE75DF6C30E92F3CA7DE3B1FAC5A
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):341880
                                                                                                    Entropy (8bit):6.494451078546094
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9//edYNAMeo/0/3/A//FE/FzdXoktv/Pu29mYx:GGmNAMeo/0/OtE/F1tvtFx
                                                                                                    MD5:7E0FECA66B63B24125A4382E4BCCF851
                                                                                                    SHA1:867EE4E9CA574FC1872473AA7D81650C242C63E5
                                                                                                    SHA-256:18DA8ACE9C2524D10A4FBC65C1BD0CF842C81974947139094A6B6B3391C0249E
                                                                                                    SHA-512:65A2011D14979E443E3F62DF858675EB80D49FB42B13E50F0D4125A769D98A6A44E70834D5C3E99911C0D10A0364B54820F6F4AEB60C1382B32EC01978935452
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):134008
                                                                                                    Entropy (8bit):6.497362587068476
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CVRJdaMTcOmFk2W5OX8e77hfFTkd33:k9pdLcOIk24OX8knkn
                                                                                                    MD5:84C34888C9A51FB01DF63C0CC0B7C7CD
                                                                                                    SHA1:32A7CBB932FB78BA7D923FBB0552EF161B6B3E30
                                                                                                    SHA-256:566EEBF5BE25EFE8141FBF5FB7AADE83FE071D796B8B1AF954E65AE61F8E3852
                                                                                                    SHA-512:3F6A09924EA6DB56FA45534389A40A3A52B9AF57BB8A3B7F57E5CBFD3E447D7DADF1943874765DCA6F0616FAC4DAE803859DB8E8038B71292026D0A202E6C958
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):99192
                                                                                                    Entropy (8bit):6.3128286006573395
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCtOxg2Zz2hf3hOkqnoDdvhQBW1kqanjaYt6Zs8:sr85CtOxBZz2GREQQhanIZs8
                                                                                                    MD5:9DC560AE62D70ACECEBC7FB453F8CC3D
                                                                                                    SHA1:3B54D928E4FE60CA6FD5996F71E2B91243572AB6
                                                                                                    SHA-256:46431DEF5888434940751F24EE0376E6BF2E7A0DC1D6F36CF19C01FB26E33607
                                                                                                    SHA-512:F84807CEEE685F384B8742A82CB0CB9BCAAA53696442C685CC7D2865B561D936B8E2B53D2FB1CF846CEB3F0B9A0BA45404BD1BEACE3CA37FFD9A4555F8E6BF72
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\ssvagent.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):202616
                                                                                                    Entropy (8bit):6.134213889875678
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CTpI0EAWfL4JVDTBfveag9zQHvlIsSvO55PvV8HVwLZ8qU:k9T20tsL4jTBneag9zQHvCHVqZc
                                                                                                    MD5:91055112AF610F32A9BCD4C75BFB9714
                                                                                                    SHA1:D44A43CAB74C059AE53C557535B1969263BBFB85
                                                                                                    SHA-256:7FE29B3117AC85E958780A679E837037E3AD2524E1715E201E40FF5C14CA12E9
                                                                                                    SHA-512:711A8D1DAA1B4CEFED7B0B49E6CF95353F12909E321AFEDCC0794160A919DE8EF7DFB5164232C05E5BAFC2223B21844F99628E89E5642689D6394F0E7C65E07F
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\unpack200.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):136880
                                                                                                    Entropy (8bit):6.108883505091151
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85Co3Bpj4+gLS8eUxkaenD9UR9whwtvTRMBy:k9o3Bpj4/E5RUNKBy
                                                                                                    MD5:21375F8643D992CD28FE2A43D43FD910
                                                                                                    SHA1:77846ECDCD2AD0F99215194D62D8C30CB0D76A00
                                                                                                    SHA-256:49FAA1C43FD5692B74F615ECE02E84FD846903821652E8F66F13481BE177AB70
                                                                                                    SHA-512:C9C08476BB0985650427AB868BFB4DC67080F08F6F5F44F21D5E91A417C7C4515FACFA4CDC49B5325CD394288326F0ED3B1AA2ABF28FB3DF77C068B82DD658DE
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 96%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3790504
                                                                                                    Entropy (8bit):3.576026782794367
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:el5td2vvvvvEvvvvvqb5Z6ziw812i4Qog6SerHqE7sLaMqkh:u5ty5Rw8Dog6RrKas
                                                                                                    MD5:044107F1653DC74AFB34823473EE46E2
                                                                                                    SHA1:22494F099C7C71EECF0A2C91B59599CD78518F98
                                                                                                    SHA-256:583AA7E7504D5C1F6826A2E8024AB2362B9C3CD168A3431290E032AE6E3CC04B
                                                                                                    SHA-512:02BA64056F1C3EA8E3BF671835C6548713F6B9A3E928D2DE4D5DFBE510FEE532504A98FC1BFF322A0F4DD58CEBD2942F6F60DFD2686E720129B800F942F5D4D3
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, Author: Arnim Rupp
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\ACCICONS.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):92664
                                                                                                    Entropy (8bit):6.635062455271286
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCECbkMkBExFhpgLTGlrFBbeEOCr:sr85C37uTGlr3iE5r
                                                                                                    MD5:2EAB2215D9C2A45D666A37903ED98BA0
                                                                                                    SHA1:89BE64137D65CA5CB36A01A990A6DC4A1D0C05F7
                                                                                                    SHA-256:9F8A3B5CA9E1E687937FEF9D07614CD8781C094F0E92A39DC4A20B3B8BBF3AB1
                                                                                                    SHA-512:3EF4E92834A8C53D21E02433ADA7D23CF4D593FA5DA399F6985F052EA58D152CDD1E9DACDA6059F41DDEFCE827707136E45E55F6B421EFEC984CF2314DF2A059
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\AppSharingHookController.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):413888
                                                                                                    Entropy (8bit):6.013317343594466
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9qd8/cXscXt7E1S4yRSZxqZboxNJ6XeJh:Fd8/cXsS7OS4yuxqpUmeJh
                                                                                                    MD5:D9C03C891BA40A1727DAFB3FAABF3981
                                                                                                    SHA1:C3263DADF7982468BDA720D47B79446B1F842BEE
                                                                                                    SHA-256:F64D6492DE5ECFEC963203FB749E0E98998DBA2208268ECF6058CDEEDDD33ADD
                                                                                                    SHA-512:08152AFFA3D37853AF5FA70DB71D20A60DFC77BB3B34A59E4352FE56CD31B1DC4C831D94734165ADD2D6733A802F2669A3BC9B6EB9DC100B6702D6A0F1E673F1
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\CLVIEW.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):217896
                                                                                                    Entropy (8bit):6.197146251739616
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CZiPMhRRhO40LIs5L6YrGioAPKhjah2QE2SkXFKJMt:k92Gn0kE6OrfQs2xt8FKu
                                                                                                    MD5:CB390C1C1680D4DE4E755204084540F6
                                                                                                    SHA1:56F3FA46168726FC6B21BB96281701CF34DBF398
                                                                                                    SHA-256:A56A8D8398D2B9D0421EE034BD32EC6E4B3F4700749563A0A1926E66A5C5AECC
                                                                                                    SHA-512:47044C594474816DD0478F1355173B469626BE9AEE60AC7987E00AA003AEEC6C46A4B2B605A616C349061203EDFFE534661D2BE80177F6C4F77A74B848D198A9
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 98%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):226656
                                                                                                    Entropy (8bit):6.404425291839694
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CuvMQ/58sNZ2OZ2Oe2T8sXF9xDr1BRo+SYZMuW32GhB:k9u0lsNhgs1f/1BRo+SYZMj2GhB
                                                                                                    MD5:556849FD8DC0825231C2BD774B530A44
                                                                                                    SHA1:E1B0E16F1646106353B6B3018A6D8BA4C2D24791
                                                                                                    SHA-256:80EA049A3B5D6A1036E1416658EC37BBAD73ADCDCEE7F614060A0E17BB15D069
                                                                                                    SHA-512:540B6E41F732D086C59F617707C25AFEBC531D1EE0D200AF76ABEAC101C218384E842C658CECEA68CFEC38B1B22F6F4C6DBF60D01EE04E6BB8C9C334B213303A
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):496320
                                                                                                    Entropy (8bit):6.672915426345178
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9aDcmdCI6BHAlSpFG/+Ls3ze30xLs+bz0YTirzhafYyf7Pvm7M80yzyiL7nk:XDcmd/6JAB/6N30xQWhRvm7MIDnk
                                                                                                    MD5:90CF1CD64775478C1557AEB644225F48
                                                                                                    SHA1:F44436465D291ECAA558A9AB2F1289BD38A92347
                                                                                                    SHA-256:48FE31CB988AF311DBA1889CF7238F36010905119A7406E867B7B1DE9F768120
                                                                                                    SHA-512:0E12D4123A430FEC8427B525C11C12B48C5EB2122D61FCA7790888407006D83E9E94662C9221163AF32B92901285FD0AEB947986173EA44929D6446764652A78
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 98%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):284864
                                                                                                    Entropy (8bit):6.433547487808304
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9PWQZIn91zska8o8dfu7hjBjobCUqJXGSOjKCkVWjlc:eE91zhTdfu7bU+DkKCkoy
                                                                                                    MD5:0BF7F314B38096114127763942C90D2D
                                                                                                    SHA1:030FBE240815DA96BC215BE9E44C416F1A93B194
                                                                                                    SHA-256:ED3E3235CD221A28CA04A62BD23CF3B751D75F2F669378BA3713A16C5AB2DD3A
                                                                                                    SHA-512:310A87A78DEF4C48B225B8F9951BAB74A7B4884EBB58EE4F5155C418906799FA44E29724F9E9895BE79E7887FBF7EADE915DF79477DB0FF497FF484ECDD30D88
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\DCF\filecompare.exe, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):813344
                                                                                                    Entropy (8bit):3.593320257597669
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CN6zI4fTT9loKYlAE8SM+mkzT4vo6d7FZzSsFinsietwZTtcihJibnqtaKRx:k9N6zNf9laluQoSSBHSUdb5LpB8pN
                                                                                                    MD5:471BDD50CAED8E9F629648ECA3C43767
                                                                                                    SHA1:0E4E1421BAC9E68581A43D1DBCE9D4DFD81DEDF0
                                                                                                    SHA-256:01C7F5CCCE86104C24DB562B7FF360D091917E66F927AFE32BB7B76EA158DCAA
                                                                                                    SHA-512:CFEF6E2669063B6D6B53DB3C7C6342093258212B2331F13784529CBCCE7E4BD299AB25978F2E322448C09B01C9F57BBB11EDF8655E8EF7537A04966825F243E0
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\FIRSTRUN.EXE, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4461400
                                                                                                    Entropy (8bit):5.950158976548802
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:98304:FphXvapxXCk1JgTN6Yidt0TGwdp7JJK4AjXYwK/nF+TXx:zhXvapxSk1STN6+JK7jXG/nkrx
                                                                                                    MD5:D45CA170523B3F9E1CCA2BE57DFBC28D
                                                                                                    SHA1:2FDC4351383F23C91BBF168CAA91C5DECDA1A960
                                                                                                    SHA-256:A631289492580379DF23A1B73084768E510BDE0016A484268347B7392755ECAC
                                                                                                    SHA-512:E3A30E9305EB0A8AE6F0137D83C09FA4E9C479C39652572ABB81845B1C8B13A96B41FD595C211C54CFF45F52CA2747B276568E01E1573F5D35DFCFE7A40C77BE
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, Author: Arnim Rupp
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\GRAPH.EXE, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):244160
                                                                                                    Entropy (8bit):6.516351495265726
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9QJ4mjSBzUzdiR5CpmCYvwg76HStzaCd9i2:EqB85C0CYteH6aCbi2
                                                                                                    MD5:3883FF97376691682D004A440DBF6612
                                                                                                    SHA1:252A3C24866C4C3049BE71F450D51C4636640E28
                                                                                                    SHA-256:A61E54F2829B464EFD831F2F00A2F8F99CF58E71E8C905676BDCC7EB77154ACF
                                                                                                    SHA-512:F508BEB028C9594FB8CE50890ADBB660763E9EDD6F210840C81D5869C3DAF1568219FC053B95C311505E8FC613D5EE4A4EFB7DFCEC758E43F1203CF77B6D6BE2
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\IEContentService.exe, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):118976
                                                                                                    Entropy (8bit):6.281459880554557
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC58F/3Oqm3yJFn7DyPSsTITDBkt+ETGBaORneubkuJ:sr85Chh3yJFn6dIvibTCaOFeubks
                                                                                                    MD5:CFAA62E8E09F71AFDF11535BB7C77370
                                                                                                    SHA1:7056433195ECEA9AF6473B5AC746BD1E139FE627
                                                                                                    SHA-256:617203C62C241DCC2D3D6FD4505DDFDDDDEE870AA4225E154BB244B6BE5BB8D4
                                                                                                    SHA-512:F0175CFACB3BCEED78983CB95F221416C29F77F17F43CB14145293AA6985571FD68AAE8EA9C4F5829A53092E0C42D8CF695389F4C0F062FEC02F0743095437A1
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):216264
                                                                                                    Entropy (8bit):6.312569617561015
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85Cck7EhKG9e5aSUTrWT6ALhWYURNwqMb7Heu8LSakmP:k9R4DqaSOALhW9n0bTeuWSaN
                                                                                                    MD5:30D3A67F3058F2997FE70917E0CF6BF0
                                                                                                    SHA1:64A5048DDACCA55E4223D835ADC431C80839E3AC
                                                                                                    SHA-256:A65FE96E42DA1E3A01DF59A412612E7F2358CABC4E906F80270A76268479A229
                                                                                                    SHA-512:4A326CD77AE23AAEF77E97E4CADAF679C0B5A9C7254D29CBADD6F5344C66E4F7427F074CD065DD68411822F6E7D7241B6D95312E553CCEDC82C0C91170C189CE
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSREC.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):508160
                                                                                                    Entropy (8bit):4.204812044084468
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85Cxjs2S6bj7lZ6C6zvahEghKaBotvHkHwK:k9xjs363SfShKaBo9EHwK
                                                                                                    MD5:E982EB0F53AE3406388700AF6E61F280
                                                                                                    SHA1:18A7CA63A6FAB57771C8B72B763C76A5F77841BA
                                                                                                    SHA-256:3F4CFFEE48824B2801B399A7E1C0599699B887ECDE7946C1234BD2F5B00478F2
                                                                                                    SHA-512:9DF082B861445A660E64AE47973AEF25168314A8949C17AE42904F3B402684EC31FE372BAAF42C8773F1CC7814A2BDA028A446254645DAC967F6799A2A8231D3
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOSYNC.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):564984
                                                                                                    Entropy (8bit):5.7343127030699925
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9wYRNgcg+u0BY1QeXBSb+9ZUKyHHzxGBcnYLsFpyHP63/OElEQyqy:EmP+uZ1QeXBSs6QNM/O55
                                                                                                    MD5:A0DFA53959740DDBC5691348F9E11762
                                                                                                    SHA1:D864CFD05F58C0D1CC4472294358DEB3CAB9150B
                                                                                                    SHA-256:AA2A99F1B257875D66C581873298DE290CBB8B95628DF81B594BA3CDE0395B8F
                                                                                                    SHA-512:C06B995A585F60CD3936E5AD80AB77F15AE25806569DE16DB787ED6735A7329A6A2B826616055866341D777CC6CFE0DFB0DCC9689753DE8D7EDB12127474FACD
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):747680
                                                                                                    Entropy (8bit):6.563860785698071
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:siut5wMRQrM5U7GYIiV7WApd8uGk0O3mMYvvmzTrdeM0fsyc/DKRGYP+4hNMyiVf:sTzwMREM5U7GYIiV7W28XO3mM7aTMyiF
                                                                                                    MD5:1026AE3D4904BFDD219A6A3A51EF2F75
                                                                                                    SHA1:6FD36AD56057979B413475E9050C7D4D3FC83BF3
                                                                                                    SHA-256:572EDB50457A36BF22652FFA0E5D9390BB52B83FB64E138ACA308FAC2EF22AC7
                                                                                                    SHA-512:865F1316167D48DEC187F6A71AA5A8481913AC5DFCE21084AEE757284CEE4BFAEF55CE7BCF93B2410C6287945FBD04CB66DE6D34C65EE3C64C4B3F0197BE012E
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\MSQRY32.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):153392
                                                                                                    Entropy (8bit):6.481711842686246
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85C9NDS5lSsOjTFa1mr+fkT77NDS5lSu0aD0K8tMk+7ms:k99NDS5lSsQa1mr+fmfNDS5lSuLD0KDp
                                                                                                    MD5:E17B04C89921BEA5ED5D0F7842F52BF7
                                                                                                    SHA1:424596B0BB2DFAC4FC9D668A850DC3A9D1DFD436
                                                                                                    SHA-256:ECC3477F55109CA316317523C0B122D684749F90A67FBF685EA4A37F32513A1B
                                                                                                    SHA-512:48C7B1B8DE281BFB9F2620D8213351D07C8BE9B4BA93878F1C616FE5933FCCDC46D5533B04B0EF4D8A0599605F667E228E0A20087C8AF22D1EFB32C314C85931
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\NAMECONTROLSERVER.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1717544
                                                                                                    Entropy (8bit):6.016143912072138
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:DWOXuaQ8eUXyfYvgn2ImMjbDowM1BNCkQ3aVremRRo+hQbzPNywi947QsawN:Al8NXygvgn2KgzEUrhQbzPNyR9lsa2
                                                                                                    MD5:DA312AA05912AB40E3B5B80D4CB7FBC5
                                                                                                    SHA1:3318B5631E71F36E254F4007F0EDDB5C08E5E31E
                                                                                                    SHA-256:E581BE40CDC473C3819132F9FA2942FD1D9FE1C91FC469E19712CC7F0C6B0BC9
                                                                                                    SHA-512:82B38CEAA442C5120224A8D17D21D464B167B81C44542E44B4E09C3AA3CDD33D5D2FC4B36BF8A35C5686C1566D2D6C7C85C572A5E6BA253B7B5BB39718B81E34
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):199344
                                                                                                    Entropy (8bit):5.596364836421844
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9qWnuOvOYOhODOXOYOzODOaOpOxO1O3OvOJO8O+O/ONOHO4O1ONOyOjONONO8OI:ze6xmI
                                                                                                    MD5:C59940D8865E47ED2C1F7A6F86A3C0DB
                                                                                                    SHA1:3A0F4F1F8EC5A9A72C4A587FD310539FDCA6208F
                                                                                                    SHA-256:6B11A9D79F0363C55A34BEDB7B4BCE9E9FC4487DA5ED53C7E2C0E10176486386
                                                                                                    SHA-512:304038168F61055ADB963C199DF5C09C97F46ACC712321BE14BD4C0B97C6A4AF60918A260F07275B1B258797DE70897B5EB013719D617CE43B14E41D0DBDBF1F
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1598352
                                                                                                    Entropy (8bit):5.64057466441852
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:/V2ohJid8Uy2iHlu2w7NbV+D/KTO6lTDMx:wyiuUynHYZVa0OkDMx
                                                                                                    MD5:477F62B58CB896ABD7CB8613C34143B0
                                                                                                    SHA1:70398A72EED1BA70EB2E2ADFCC893091131D695B
                                                                                                    SHA-256:47952850C4B12894327205CA518F29760F747714BFC32B66EA60355596062BF1
                                                                                                    SHA-512:E76F842C10FCFAB081C30B9FD8869120D12FCE96D06E6868C7A8A53CB2BBCC8D9F6FF5C6B2133B2601E968F30BE06C20E721404E0E2728AC1F7458B8978D34A6
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\OcPubMgr.exe, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1890480
                                                                                                    Entropy (8bit):3.626577416508813
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9NT6ZXFzb5Ucyw4T7po25xx2qNcUcMeTOzhc:qTg5Ucy9oexxtcUcMe
                                                                                                    MD5:B4A4064AB06BE46247E26EBB426BF28A
                                                                                                    SHA1:A5E2224B5B64467BCDCFDFA1468DE7E7B0A59E16
                                                                                                    SHA-256:7331BAD015B2AB4CE324FAE45B79C955BACE66C7C268BDC90C2A11D82CD8649D
                                                                                                    SHA-512:CFD0D147E4649F0CFF5853EEAD1C547C22A0EED9553E78F3CD818F088CC73F725D24B696B35420F7ABAAD88EB81C74C7010F863D51CFC1228DEB575F2D7418AA
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3551912
                                                                                                    Entropy (8bit):3.3573232593996556
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:F0knX9Y5Ucy9oexxr5UcykDuD7fcUcMeV:FxLe3kD0Q
                                                                                                    MD5:A117007C4C779978A6C5D890B847BC98
                                                                                                    SHA1:0AB6D80AD953B8C2152AFB304EB4648B21648465
                                                                                                    SHA-256:686262AC34622190CBCA444A152CDED2E8D626C4F7E0B9045A0FFAF1A2F1A60E
                                                                                                    SHA-512:D0632F9C2B50A2F9EDD51820038B4F9F3193BCEF88AC827343840031D419B1F59D59ED17824E238EEFEFB7EBA704706A0B7859EFCD5C2B29B99531A52DC302A8
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, Author: Arnim Rupp
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\PPTICO.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):97072
                                                                                                    Entropy (8bit):6.543326517338806
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJCtvNuEJzbmAoDucEMQnF0:sr85Ct1uUlbMt
                                                                                                    MD5:DF65F71CC8759F86441E0F07A3623256
                                                                                                    SHA1:652DD618FC30E7BC77D2B31CC02FCE7C77322B71
                                                                                                    SHA-256:EC77869B45D62D729EECA9EE20F7116126C6BE9D6D5798717C2A89C7186F68B3
                                                                                                    SHA-512:991FF8B6F6BA4A651B40479D2C7B1A96DB6A99E196902B67C654E0AE65015909B1A2EFA0EE23BC5D8DF939CFF5F115AA788A873C4210A859FC778BF850B9F20E
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\SCANPST.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):401112
                                                                                                    Entropy (8bit):6.187772596269455
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9dDppHQA0GZHU0MQdtmutQqrvMcHe6Gg1WLu+ffCvkV2hriVFRG5pcGBvcxlD:U/CGN+9qrvMciMiCaI8D
                                                                                                    MD5:442BA7D148A5B05DA25B6136812C399B
                                                                                                    SHA1:6AC7A8CE93C8AF8C1B8589AD06C1CC319A18A293
                                                                                                    SHA-256:B459320677D5C8DB1A82B89355B1DE323DA47C87CCA408153F9EECB6F862B7A8
                                                                                                    SHA-512:969599FF2B64D857AE8E91FA0D3E2D431B2866928E4883E3F1A101D0C58052926387E2F43775DAE5F7AE850A3EEDD37F137AAA421FFB0FCC4AC27F35137FC191
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\SELFCERT.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):97496
                                                                                                    Entropy (8bit):5.941949021977476
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:1536:JxqjQ+P04wsmJC5wM5RpEctMF4PqxgWvwG+TUawK:sr85C5w00callwG+TUawK
                                                                                                    MD5:08C9EFE747D52B7C97EBDAA7616C8271
                                                                                                    SHA1:7474EDC076F64726324CB1405E1C65B47DB6E17B
                                                                                                    SHA-256:CE4A6A2DED14AF0BB753103EA5C16FBFFAA03773A4B180A6E9289CC9046EAF0D
                                                                                                    SHA-512:DA444A2520031C0BF4401BB201E34E121A556C42838D8925C53B2FC83FBA8505CF346D3AF26C2A30DFB96D87BD7441AB45CAC96879FAB0369C1ACB48280D7EEE
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\SETLANG.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 98%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1119024
                                                                                                    Entropy (8bit):4.825577989169068
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:yW5pS9L2k8TsUz71UL9DuNvdbsA3syoWh4Jr:yWDSRK71A1uNmnC4Jr
                                                                                                    MD5:BEA2AD6850108169F81A818546C0C1EF
                                                                                                    SHA1:8AA4608188E4484AACB7973F85425A0660F80D23
                                                                                                    SHA-256:0606DC5D058414B632FD717DDEFF2D794A9C7D9DF77F6B550E92B4E67360AE0C
                                                                                                    SHA-512:EA8FD6B5D21ADB98E4FC5AFE64D3A58F145B0B090AC256F92F618DD84F89E3187996572BAE2CB4642B03421A94EED83D8941A3EEB35705D3D3F27D40D68AB778
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):345288
                                                                                                    Entropy (8bit):5.604022763849136
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9sPeJiOSJeUC2AI01h7OD2+gVmW7y36RaR2S8/KaQ:9FJeUCzI01hY9Aj7o8W
                                                                                                    MD5:F4D74A3E2C454B359EBCE229E03D6D15
                                                                                                    SHA1:B388806ACBD5C61C493EDF5323852CF72CD385EE
                                                                                                    SHA-256:793D263EEAA4B383826E838A14C5B68C8159E81DA428DB2531F4615380EEFB76
                                                                                                    SHA-512:15600E3D199233DFB84A0733DCD01736B4318FF086CA5888823F18419B95741B5B2A83B4D268446174C7BFE7552BB8046D992F4E853FF2000A3AA4A7BF8DBBD4
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\VPREVIEW.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 96%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1979160
                                                                                                    Entropy (8bit):3.8393367118042114
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9G23FukA1kAb0rEbrESZU8wFjNHsNurY:q3E790rEbrECNiY
                                                                                                    MD5:82F1E75BB8C77982089DE6994CEF7CB6
                                                                                                    SHA1:A4A4F80C3990F6A4723D13155B13406F0FF0A035
                                                                                                    SHA-256:44E9598558628F634A0EA8D30C5AD19BE75265C5208D1C997FA01CCF14B36B96
                                                                                                    SHA-512:DB59F5449A6B21507C79D1D052AE70CDA0A859E35D7500FE61E14032DB0C9A3790725EAECFF2736AFA699F1F46158A99AA55A89DB3E8F86168B53EDEF078D5DD
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3057832
                                                                                                    Entropy (8bit):3.4614725617151314
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9fcZUNrfkrfzMwFjNVtZ9EYDEWs3cKrFYWKKnKK02NqTlaX:hRtZ2YDEWs3cKrFYWKKnKK3ocX
                                                                                                    MD5:CB31D8C2DD93637FB0191D70014DE6F4
                                                                                                    SHA1:DB5687E6C66ED4E47133F30A77DF572B3EF287E4
                                                                                                    SHA-256:B578A27ECFB0189254C00BDF37A198659721AD6340781BFA3001EF6E89FE62D5
                                                                                                    SHA-512:7FEA9BC27DC0F26FAA2CE1ECECF6563CB59D1AC38F1A1F4C82AC2347BC146728174C758C8BB467F1F3587656714D5CA927996898D1DDF8AFDA61D02B172BDB54
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\WORDICON.EXE, Author: ditekSHen
                                                                                                    Antivirus:
                                                                                                    • Antivirus: ReversingLabs, Detection: 97%
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:modified
                                                                                                    Size (bytes):3728040
                                                                                                    Entropy (8bit):3.366413518949862
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k95DYJniVbgn0Cuc6evCvAHfOXYdrqtAhoGfufLN1Z7:yDYJnQYgSXMR19
                                                                                                    MD5:B1F52E736ACFF704E3D272B4E5FE21D3
                                                                                                    SHA1:7F1FAFAD77B555FE9BCF743B6AB287B2F5C18903
                                                                                                    SHA-256:5FE59FF4D80FC714063DB7381A7E9E88D303BCB22B2BD73F73071CBA3B2544B3
                                                                                                    SHA-512:DADB2CAC72AE69EFA9350893FAF2E9160B772F2DFBF967A72E00EEBDA425CB791225CD76B0B49A2F080A780F2F1B20B525C4C8D924CAAFAB8E73ABDA3E46EB06
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, Author: Arnim Rupp
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\XLICONS.EXE, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):779568
                                                                                                    Entropy (8bit):3.908021969671963
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9gkYNiTF7BjXnhMKNRneNMToeGYAXLMDpQCfhmLV:fkHTz9cRLMdQYWV
                                                                                                    MD5:8C3B0E435921E204224DDCAA4C449F55
                                                                                                    SHA1:E8E9EDE55C9FF8F0CC6AE3F344698068F475518E
                                                                                                    SHA-256:A65D99A7B630A8078788CC3212019015F435F25A5C1E50881E931B4C72797681
                                                                                                    SHA-512:495999B69450D7E0B69CE54FD1AE388D6B4B1F4A9123BE8A3F043B94E26A78E101D358DE9303F260C6FD4EB5184CCF2F3664962F529E5786BAB208F92E1EF92E
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\lync99.exe, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):9384960
                                                                                                    Entropy (8bit):6.481029897216704
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:196608:Kcs45Kb0KuviDnYatO4HbnvVa73gRT3BWziGis9qhSfpmL:KNb0KuvenYiOGTV03GxWfis9qhr
                                                                                                    MD5:4DFAB259E8E581428A857AACB9726D0F
                                                                                                    SHA1:C3566A0D65B101F42D0A41C93A37C4CD4526A836
                                                                                                    SHA-256:F183E033C94F5E4CDD73C96B7C7562C371CCA2109ED0BBB029DC780E0FDAFA83
                                                                                                    SHA-512:64E288C445D3BAE532170642CABE1D3339913614A7ABA82521E7EF97E3F6989B09E34174245B6D0BCFF80CCCC723EA0C592807E2BFE11019AF7004BDAA166075
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, Author: Arnim Rupp
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\lynchtmlconv.exe, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\misc.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1069224
                                                                                                    Entropy (8bit):3.692305981725916
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85Cco4TUawK1uT040i0ougmQmJDJnJ+20FxPlJPPSSPJ/Z:k9N243xmQm59UtUSxh
                                                                                                    MD5:DE1BDD8AFE5C15AA550F72FE0AB41724
                                                                                                    SHA1:D0B444BEA8EEE42F873CF1D1CA16BCCA731FD4F3
                                                                                                    SHA-256:4B41036D99636462320122BDC38CF6B4BD9F4371AE8BBDFEB8FC9C7F826590C3
                                                                                                    SHA-512:0345A2FFCBD21C90714D293A675EC64082B24475F5B28FB5F93931197DB23BAC127F4A0235A42900D6D301F02CC4C81B0CEF3FE494D303C64B8677AF8410D1D8
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\misc.exe, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):778768
                                                                                                    Entropy (8bit):5.418959142074324
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:stfUJogx+ymi4l0AIFkxAavN50P7DKacrdL+GNXuwt:0UJDxwOfmAe5ADPcrR+GNXuwt
                                                                                                    MD5:6D5320812064B92918E1C0FC4C60DA82
                                                                                                    SHA1:7D28822DFC438BC426B6EC91B2E465653A55AA4B
                                                                                                    SHA-256:934E03AAED6C01C03B2E358C88D59471D8C899E4D0EA756226C66966142EC660
                                                                                                    SHA-512:06C9C6E42D737501EBE2C846AA871F92285D1B00ACA122F3329E34BD8A2EEE5160834695B93D95DE24D5B25C7878854792BDF57A9C1E04449821C2886FFAEA91
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Program Files (x86)\Microsoft Office\Office16\protocolhandler.exe, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Program Files\DHCP Monitor\dhcpmon.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):207360
                                                                                                    Entropy (8bit):7.447625453475649
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:yzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HInQT9cx77B7aqetQ0XdeMBma1X:yLV6Bta6dtJmakIM5Qx79PEQ8QVPq
                                                                                                    MD5:7F00E9819E4B205654B46E0090E6763E
                                                                                                    SHA1:03F91788AF9FF6E6677900CE43AC390BFBB8ACDB
                                                                                                    SHA-256:2FC2AB12BB0FC8B14781FA05AEA2C2C847F2C221F43DAFDEA9C6BD7344ACB07E
                                                                                                    SHA-512:CFED642BFAA5D6BAAB6D01DFCCAAA6CD067CC9B80AD07C790169B7F2F43EEF27AF604D11488202E5CE2F076D34E3242904FD2EDAB206AB3CF2578C2CF7BD2F56
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, Author: ditekSHen
                                                                                                    • Rule: NanoCore, Description: unknown, Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, Author: unknown
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                                                                                    C:\ProgramData\Adobe\ARM\S\11399\AdobeARMHelper.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):464936
                                                                                                    Entropy (8bit):6.360683839248502
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9DQcslnC3znG+xfbMgyGn7LiJdKkAtyKuskePvX2Zp7DmuXYvr6ys/pJYCf:PlnCxjMyn72/KkAtydem3nM6BHYo
                                                                                                    MD5:6A02DFAEE140217151427D7301E61289
                                                                                                    SHA1:793B86D11BD13C12BB8D60E01F36A21A3CE2F728
                                                                                                    SHA-256:7F474C8C7643AB7A5AA9CDB27A93ECB7CA3F23ED8AF916CB7FC5905F572CF732
                                                                                                    SHA-512:A4E21A104CD9C772799AA84632EE821A0B0CF859721F6C3482BC532221DFFFDA8186888BBB9B52391E3E9F472631F3C5320A7DD4976ED49674F8BF322E4A9DA6
                                                                                                    Malicious:true
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\ProgramData\Adobe\ARM\S\1977\AdobeARMHelper.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):464936
                                                                                                    Entropy (8bit):6.360683839248502
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9DQcslnC3znG+xfbMgyGn7LiJdKkAtyKuskePvX2Zp7DmuXYvr6ys/pJYCf:PlnCxjMyn72/KkAtydem3nM6BHYo
                                                                                                    MD5:6A02DFAEE140217151427D7301E61289
                                                                                                    SHA1:793B86D11BD13C12BB8D60E01F36A21A3CE2F728
                                                                                                    SHA-256:7F474C8C7643AB7A5AA9CDB27A93ECB7CA3F23ED8AF916CB7FC5905F572CF732
                                                                                                    SHA-512:A4E21A104CD9C772799AA84632EE821A0B0CF859721F6C3482BC532221DFFFDA8186888BBB9B52391E3E9F472631F3C5320A7DD4976ED49674F8BF322E4A9DA6
                                                                                                    Malicious:true
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):506352
                                                                                                    Entropy (8bit):6.095410299784229
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6144:k9r5Qw0tneDA/sqhleIc0HftDrkYY1hj63hgDonsogCh6NEpAFH78r:abM3npxYfj63hgD1Zim8r
                                                                                                    MD5:05BDFD8A3128AB14D96818F43EBE9C0E
                                                                                                    SHA1:495CBBD020391E05D11C52AA23BDAE7B89532EB7
                                                                                                    SHA-256:7B945C7E6B8BFBB489F003ECD1D0DCD4803042003DE4646D4206114361A0FBBB
                                                                                                    SHA-512:8D9B9FC407986BD53FE3B56C96B7371CC782B4BAC705253BFB0A2B0B1E6883FDB022F1AC87B8BFD7005291991B6A3DFBACEAB54F5D494E0AF70F0435A0B8B0DA
                                                                                                    Malicious:true
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):193552
                                                                                                    Entropy (8bit):6.404108786421927
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:sr85CxOIFRq+fPkorzr30W3Zqa/TVm3c+ZIVoarXRKKntTKxsN:k9x9FfPkoXLZucR5X8KtmKN
                                                                                                    MD5:50650D11436F6D155BCECEC4F8473A4D
                                                                                                    SHA1:2546A208611ACE7059618EBFE3970ACDC32AED97
                                                                                                    SHA-256:2002476D84D021A8C87A160C584FDF42865D663A417B059F446F124103C8058E
                                                                                                    SHA-512:E7EE2984A2EFDCE714EBC4014C64D865836E719F8006F221A24E2C3BC45B10832AE1E4DD546BCDE092126C138579515819D3D04C153733C21BE809B6DB28ACE4
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Microsoft\Windows Defender\Scans\MpPayloadData\mpengine.exe, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):502872
                                                                                                    Entropy (8bit):6.915395359459785
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:9B+pwPprnVmLmDsC+FU+ZOSzt9tzZcymOz:XDFncLmKDZOSzXFZcLOz
                                                                                                    MD5:15E2E55ED826096410F0FFF7BA3B073E
                                                                                                    SHA1:404B2DFB6E813F40D77CFE38205455CC85789B03
                                                                                                    SHA-256:799EDE10AD0FDC613FBA39710FC6772F04EEEF22C6934E72E61C0B185306DE13
                                                                                                    SHA-512:F21B6FC549706ECF6F09233BDE35EFBDB4B60B1B37472B7F3A112BCD288ADA905F2F03F7F223C26B2D82DE59D8784649A69CBF6FEB5AB2769A35D861935F713E
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: ditekSHen
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):497192
                                                                                                    Entropy (8bit):7.03168443786024
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:/0IursYCYQeSnyZJiqlEbXSb9NtoqOFBqkYHkZH:8MYenGJiKEbXWtpOLl5
                                                                                                    MD5:86749CD13537A694795BE5D87EF7106D
                                                                                                    SHA1:538030845680A8BE8219618DAEE29E368DC1E06C
                                                                                                    SHA-256:8C35DCC975A5C7C687686A3970306452476D17A89787BC5BD3BF21B9DE0D36A5
                                                                                                    SHA-512:7B6AE20515FB6B13701DF422CBB0844D26C8A98087B2758427781F0BF11EB9EC5DA029096E42960BF99DDD3D4F817DB6E29AC172039110DF6EA92547D331DB4C
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: ditekSHen
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):696088
                                                                                                    Entropy (8bit):7.197257231663585
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:kskY7gjcjhVIEhqgM7bWvcsi6aVSvIyZzJ9ztLz5/YTjnMwJ:ksZgjS1hqgSC/izafZzJZhz5QPMK
                                                                                                    MD5:7DC920CF276522CB3A6A63A6973F9565
                                                                                                    SHA1:DF629F79DCDC55D6F8283B95AE6FAE04D7B10C4C
                                                                                                    SHA-256:A011D9599A75FF96D7E094CD7BB3C779C42321E8F55D1BE66899CD30657AE574
                                                                                                    SHA-512:FC4489615F84B22EA20426F6351D814C31FC914812E9C8B09FE7E5AA3DB8E279F7BA9F15C10945A3FD72E0DE735C2D6BC3B9AEC0EC44FF8317BBC51FEAA736A8
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):497048
                                                                                                    Entropy (8bit):7.031762109482844
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:/0IursYCYQeSnyZJiqlEbXSb9NtCGOF2O27MVz+ZH:8MYenGJiKEbXWtfOkU+
                                                                                                    MD5:87F15006AEA3B4433E226882A56F188D
                                                                                                    SHA1:E3AD6BEB8229AF62B0824151DBF546C0506D4F65
                                                                                                    SHA-256:8D0045C74270281C705009D49441167C8A51AC70B720F84FF941B39FAD220919
                                                                                                    SHA-512:B01A8AF6DC836044D2ADC6828654FA7A187C3F7FFE2A4DB4C73021BE6D121F9C1C47B1643513C3F25C0E1B5123B8CE2DC78B2CA8CE638A09C2171F158762C7C1
                                                                                                    Malicious:true
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):696096
                                                                                                    Entropy (8bit):7.197890425464557
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:kskY7gjcjhVIEhqgM7bWvcsi6aVU7Iys6W1wXK4Qzh+jMlWCEhWnMwJ:ksZgjS1hqgSC/izof81wiz0wygMK
                                                                                                    MD5:FA982A173F9D3628C2B3FF62BD8A2F87
                                                                                                    SHA1:2CFB18D542AE6B6CF5A1223F1A77DEFD9B91FA56
                                                                                                    SHA-256:BC5D80D05A1BD474CB5160782765BF973BA34EA25DEDF7E96DFAF932B9935032
                                                                                                    SHA-512:95CA9066A2E5272494B8E234220B6028C14892679023CA70801475C38D341032363589375EC6FFC4CDE3416DD88D0E3082D315F7BEDDCCDF014122DDD0A90644
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\ProgramData\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):502840
                                                                                                    Entropy (8bit):6.916526410604879
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:9B+pwPprnVmLmDsC+FU+ZOSzDBtzY7UWfR2hymOz:XDFncLmKDZOSz1FO5iLOz
                                                                                                    MD5:4B27661E864382B71FFD26D67125A9D0
                                                                                                    SHA1:9C81DE53C4467C81FF239A4B692B1C6376FD8B71
                                                                                                    SHA-256:78E085875002746CBC6F4AF5DC7D15157409FE94B23D89FC1BD58E9E1242302B
                                                                                                    SHA-512:EB158EE00684AE85A83EBA789A7F5AFCE7DEF52BA58B37BB7621F41129DEF0281C6EC6551F3A84B4FE516B7B88A8E220EBEEDAF80617C218CA44735EB028A093
                                                                                                    Malicious:true
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\dhcpmon.exe.log

                                                                                                    Download File
                                                                                                    Process:C:\Program Files\DHCP Monitor\dhcpmon.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):525
                                                                                                    Entropy (8bit):5.278948378331044
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:Q3LaJcP0kaHYGLi1B01kKVdisk70/9UkB9tv:MLfaYgioQcpBT
                                                                                                    MD5:9AF7671D4ABE5659B81446667F85255E
                                                                                                    SHA1:4EEB5A2CD0A635EEDE03D35E56A6DE775A61761C
                                                                                                    SHA-256:6EA3C77011EEF418C5D3D2B00D1E4602390CB747B347AB8542A89AAD6136779A
                                                                                                    SHA-512:CAB4891DB9592138F748A59DC44E82BF9664CDF80084B982BE2BEE2DEC57CA26AE71C9B10F2AF9944B86579F89D44660851C0AAC25BFB13ACF719612A25B854B
                                                                                                    Malicious:false
                                                                                                    Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System\1201f26cb986c93f55044bb4fa22b294\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\b12bbcf27f41d96fe44360ae0b566f9b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Forms\454c09ea87bde1d5f545d60232083b79\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\76002c3c0a2b9f0c8687ad35e8d9d309\Microsoft.VisualBasic.ni.dll",0..

                                                                                                    C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):207360
                                                                                                    Entropy (8bit):7.447625453475649
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3072:yzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HInQT9cx77B7aqetQ0XdeMBma1X:yLV6Bta6dtJmakIM5Qx79PEQ8QVPq
                                                                                                    MD5:7F00E9819E4B205654B46E0090E6763E
                                                                                                    SHA1:03F91788AF9FF6E6677900CE43AC390BFBB8ACDB
                                                                                                    SHA-256:2FC2AB12BB0FC8B14781FA05AEA2C2C847F2C221F43DAFDEA9C6BD7344ACB07E
                                                                                                    SHA-512:CFED642BFAA5D6BAAB6D01DFCCAAA6CD067CC9B80AD07C790169B7F2F43EEF27AF604D11488202E5CE2F076D34E3242904FD2EDAB206AB3CF2578C2CF7BD2F56
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, Author: ditekSHen
                                                                                                    • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, Author: unknown
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                                                                                    C:\Users\user\AppData\Local\Temp\CR_14C6C.tmp\setup.exe

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2715632
                                                                                                    Entropy (8bit):6.546876603381584
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:tnc3R1lRf+yAHLvThf0we+9fPF0RkBOETd4rekv:WbbAHPFDp4V
                                                                                                    MD5:D543B59F442F7DBD64F80911179EC89C
                                                                                                    SHA1:DE8A44AC54C61DF250C2866B9B1F4772CFD41787
                                                                                                    SHA-256:DCE4561096E4E95683E8AB54EC340A2DC216C75884C365B980FE91631010D977
                                                                                                    SHA-512:0BCDAB4602BAD19E03A43622818E12FD219D0698BB04DF844D9FD6B82F2C4837891FE5B6AEC9D976E721B8572C58131EA72062B76BC234DF8A43D6F9489ED701
                                                                                                    Malicious:true
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    C:\Users\user\AppData\Local\Temp\tmp5023.tmp

                                                                                                    Download File
                                                                                                    Process:C:\Windows\svchost.com
                                                                                                    File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                                                    Category:modified
                                                                                                    Size (bytes):8
                                                                                                    Entropy (8bit):3.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:Zw:Zw
                                                                                                    MD5:2E09FF4ECBFEB39F03DD94969AA346F3
                                                                                                    SHA1:63D4460F76F07A536AB227351E60BDB92BE3742E
                                                                                                    SHA-256:534428833526478E0357B4D191C6DA8FA3B9890B6B535585FEB4914753C10A23
                                                                                                    SHA-512:A8661879D9214C7EE7C794F46D2136D419B7B89012CCDDBD5C8A78EB29AB81BBD49F972EC604135ABCB0B36C3D8E8C908444B8924F3F6B09670B06D13570BDF0
                                                                                                    Malicious:false
                                                                                                    Preview:e.[l.&A

                                                                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe
                                                                                                    File Type:International EBCDIC text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):8
                                                                                                    Entropy (8bit):3.0
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:dY:2
                                                                                                    MD5:03F52ED29FDD64A0BB6BD6FAB4114B90
                                                                                                    SHA1:2828B41FBC532AC4C5E6D2F1BE92023590C47999
                                                                                                    SHA-256:D08F05CD41171206DBB58E2FD94F6206F4E3FD81B51E2731018B0D705D15CDA1
                                                                                                    SHA-512:495836F0327919649C56EB41A61623833A2B49CDCE7C665873C476580A03A13EFBF573C92B057F321CC4AC80AA1F968E5FFA848951FF279938519C91DFB3CF8F
                                                                                                    Malicious:true
                                                                                                    Preview:..E..a.H

                                                                                                    C:\Windows\svchost.com

                                                                                                    Download File
                                                                                                    Process:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):41472
                                                                                                    Entropy (8bit):5.976684810818399
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:768:eyxqjQl/EMQt4Oei7RwsHxyP7nbxzOQdJ:JxqjQ+P04wsmJC
                                                                                                    MD5:36FD5E09C417C767A952B4609D73A54B
                                                                                                    SHA1:299399C5A2403080A5BF67FB46FAEC210025B36D
                                                                                                    SHA-256:980BAC6C9AFE8EFC9C6FE459A5F77213B0D8524EB00DE82437288EB96138B9A2
                                                                                                    SHA-512:1813A6A5B47A9B2CD3958CF4556714AE240F2AA19D0A241B596830F0F2B89A33EC864D00CE6A791D323A58DFBFF42A0FDED65EEFBF980C92685E25C0EC415D92
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Windows\svchost.com, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Windows\svchost.com, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Windows\svchost.com, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Windows\svchost.com, Author: ditekSHen
                                                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................t...*...................@..............................................@...........................P..d............................................................p......................................................CODE....,r.......t.................. ..`DATA.................x..............@...BSS..................|...................idata..d....P.......|..............@....tls.........`...........................rdata.......p......................@..P.reloc..............................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Entropy (8bit):7.339754709472576
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.32%
                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.28%
                                                                                                    • Win32 Executable Borland Delphi 6 (262906/60) 1.30%
                                                                                                    • Win32 Executable Delphi generic (14689/80) 0.07%
                                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                    File name:IntelCpHeciSvc.exe
                                                                                                    File size:248832
                                                                                                    MD5:6b4a5a412e90721fba5170a25caefbd4
                                                                                                    SHA1:7796314ed7b9b9472b98d6efbb93164e44877c34
                                                                                                    SHA256:62271e4b8eeb27837dda10e85fb4b4a8f0c54b319ea06d28ffd56fab022d6f18
                                                                                                    SHA512:d17175feb0eb585f8a8e82dcd31c1b44b9c80e13d5ea9aaeeb9685af7d4e0b799b34a94112cd2e719b0e9d68f208443a7112b1962429461dd639655f090c8d30
                                                                                                    SSDEEP:3072:sr85Cd1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HInQT9cx77B7aqetQ0XdeMBma1uT:k9dta6dtJmakIM5Qx79PEQ8QVPkLV6h
                                                                                                    TLSH:DB34C055B7E4893FE29E46BC611252128339D2E3ACD3F3EE28D455B69F263E0060B1D3
                                                                                                    File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                    File Icon

                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x4080e4
                                                                                                    Entrypoint Section:CODE
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                    DLL Characteristics:
                                                                                                    Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:9f4693fc0c511135129493f2161d1e86

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    add esp, FFFFFFE0h
                                                                                                    xor eax, eax
                                                                                                    mov dword ptr [ebp-20h], eax
                                                                                                    mov dword ptr [ebp-18h], eax
                                                                                                    mov dword ptr [ebp-1Ch], eax
                                                                                                    mov dword ptr [ebp-14h], eax
                                                                                                    mov eax, 00408054h
                                                                                                    call 00007F2320AC6737h
                                                                                                    xor eax, eax
                                                                                                    push ebp
                                                                                                    push 00408220h
                                                                                                    push dword ptr fs:[eax]
                                                                                                    mov dword ptr fs:[eax], esp
                                                                                                    mov eax, 004091A8h
                                                                                                    mov ecx, 0000000Bh
                                                                                                    mov edx, 0000000Bh
                                                                                                    call 00007F2320AC9881h
                                                                                                    mov eax, 004091B4h
                                                                                                    mov ecx, 00000009h
                                                                                                    mov edx, 00000009h
                                                                                                    call 00007F2320AC986Dh
                                                                                                    mov eax, 004091C0h
                                                                                                    mov ecx, 00000003h
                                                                                                    mov edx, 00000003h
                                                                                                    call 00007F2320AC9859h
                                                                                                    mov eax, 004091DCh
                                                                                                    mov ecx, 00000003h
                                                                                                    mov edx, 00000003h
                                                                                                    call 00007F2320AC9845h
                                                                                                    mov eax, dword ptr [00409210h]
                                                                                                    mov ecx, 0000000Bh
                                                                                                    mov edx, 0000000Bh
                                                                                                    call 00007F2320AC9831h
                                                                                                    call 00007F2320AC9888h
                                                                                                    lea edx, dword ptr [ebp-14h]
                                                                                                    xor eax, eax
                                                                                                    call 00007F2320AC7172h
                                                                                                    mov eax, dword ptr [ebp-14h]
                                                                                                    call 00007F2320AC7706h
                                                                                                    cmp eax, 0000A200h
                                                                                                    jle 00007F2320ACA927h
                                                                                                    call 00007F2320AC9E06h
                                                                                                    call 00007F2320ACA619h
                                                                                                    mov eax, 004091C4h
                                                                                                    mov ecx, 00000003h
                                                                                                    mov edx, 00000003h

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x150000x864.idata
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x1400.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000x5cc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x170000x18.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    CODE0x10000x722c0x7400False0.6173558728448276data6.511672174892103IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    DATA0x90000x2180x400False0.3623046875data3.1516983405583385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    BSS0xa0000xa8990x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .idata0x150000x8640xa00False0.37421875data4.173859768945439IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .tls0x160000x80x0False0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .rdata0x170000x180x200False0.05078125data0.2069200177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x180000x5cc0x600False0.8483072916666666data6.443093465893509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0x190000x14000x1400False0.1302734375data1.296744017426327IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                    RT_ICON0x191500x10a8dataRussianRussia
                                                                                                    RT_RCDATA0x1a1f80x10data
                                                                                                    RT_RCDATA0x1a2080xacdata
                                                                                                    RT_GROUP_ICON0x1a2b40x14dataRussianRussia

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, GetThreadLocale, GetStartupInfoA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
                                                                                                    user32.dllGetKeyboardType, MessageBoxA
                                                                                                    advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                    oleaut32.dllSysFreeString, SysReAllocStringLen
                                                                                                    kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                    advapi32.dllRegSetValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                    kernel32.dllWriteFile, WinExec, SetFilePointer, SetFileAttributesA, SetEndOfFile, SetCurrentDirectoryA, ReleaseMutex, ReadFile, GetWindowsDirectoryA, GetTempPathA, GetShortPathNameA, GetModuleFileNameA, GetLogicalDriveStringsA, GetLocalTime, GetLastError, GetFileSize, GetFileAttributesA, GetDriveTypeA, GetCommandLineA, FreeLibrary, FindNextFileA, FindFirstFileA, FindClose, DeleteFileA, CreateMutexA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                                    gdi32.dllStretchDIBits, SetDIBits, SelectObject, GetObjectA, GetDIBits, DeleteObject, DeleteDC, CreateSolidBrush, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, BitBlt
                                                                                                    user32.dllReleaseDC, GetSysColor, GetIconInfo, GetDC, FillRect, DestroyIcon, CopyImage, CharLowerBuffA
                                                                                                    shell32.dllShellExecuteA, ExtractIconA

                                                                                                    Possible Origin

                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                    RussianRussia

                                                                                                    Network Behavior

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    May 30, 2023 05:03:04.241796017 CEST4970154984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:04.265069008 CEST549844970179.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:04.800154924 CEST4970154984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:04.823407888 CEST549844970179.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:05.487658978 CEST4970154984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:05.510993004 CEST549844970179.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:09.814769030 CEST4970254984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:09.838552952 CEST549844970279.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:10.394373894 CEST4970254984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:10.417825937 CEST549844970279.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:10.988148928 CEST4970254984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:11.011717081 CEST549844970279.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:15.180689096 CEST4970354984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:15.204330921 CEST549844970379.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:15.738518000 CEST4970354984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:15.761953115 CEST549844970379.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:16.441720009 CEST4970354984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:16.465014935 CEST549844970379.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:20.523221016 CEST4970454984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:20.546850920 CEST549844970479.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:21.129595995 CEST4970454984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:21.152993917 CEST549844970479.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:21.739033937 CEST4970454984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:21.762600899 CEST549844970479.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:25.813194036 CEST4970554984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:25.836783886 CEST549844970579.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:26.489481926 CEST4970554984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:26.512829065 CEST549844970579.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:27.098850012 CEST4970554984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:27.122178078 CEST549844970579.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:31.211497068 CEST4970654984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:31.235635996 CEST549844970679.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:31.802465916 CEST4970654984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:31.825779915 CEST549844970679.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:32.489943027 CEST4970654984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:32.514102936 CEST549844970679.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:37.066646099 CEST4970754984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:37.089844942 CEST549844970779.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:37.631010056 CEST4970754984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:37.654295921 CEST549844970779.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:38.240475893 CEST4970754984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:38.264163017 CEST549844970779.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:42.316741943 CEST4970854984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:42.340038061 CEST549844970879.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:42.943941116 CEST4970854984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:42.967350006 CEST549844970879.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:43.631505013 CEST4970854984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:43.654850960 CEST549844970879.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:49.448380947 CEST4970954984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:49.471637964 CEST549844970979.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:50.073642969 CEST4970954984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:50.096999884 CEST549844970979.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:50.600856066 CEST4970954984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:50.624227047 CEST549844970979.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:55.844918013 CEST4971054984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:55.868120909 CEST549844971079.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:56.492001057 CEST4971054984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:56.515204906 CEST549844971079.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:03:57.101468086 CEST4971054984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:03:57.124826908 CEST549844971079.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:01.860733032 CEST4971154984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:01.884084940 CEST549844971179.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:02.448404074 CEST4971154984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:02.471786976 CEST549844971179.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:03.039407969 CEST4971154984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:03.062695980 CEST549844971179.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:08.062824965 CEST4971254984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:08.086141109 CEST549844971279.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:08.602433920 CEST4971254984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:08.625761986 CEST549844971279.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:09.290117979 CEST4971254984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:09.313275099 CEST549844971279.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:13.558610916 CEST4971354984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:13.581857920 CEST549844971379.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:14.102895975 CEST4971354984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:14.126240969 CEST549844971379.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:14.634191036 CEST4971354984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:14.657601118 CEST549844971379.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:18.721616983 CEST4971454984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:18.744879007 CEST549844971479.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:19.259565115 CEST4971454984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:19.282850981 CEST549844971479.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:19.790879011 CEST4971454984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:19.814150095 CEST549844971479.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:24.419668913 CEST4971554984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:24.442877054 CEST549844971579.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:24.963188887 CEST4971554984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:24.986629963 CEST549844971579.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:25.494482994 CEST4971554984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:25.517893076 CEST549844971579.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:30.657922983 CEST4971654984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:30.681288004 CEST549844971679.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:31.198075056 CEST4971654984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:31.221323967 CEST549844971679.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:31.807533979 CEST4971654984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:31.830872059 CEST549844971679.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:35.911439896 CEST4971754984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:35.937855959 CEST549844971779.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:36.524955034 CEST4971754984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:36.549006939 CEST549844971779.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:37.048908949 CEST4971754984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:37.072206020 CEST549844971779.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:41.128586054 CEST4971854984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:41.151904106 CEST549844971879.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:41.659207106 CEST4971854984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:41.682498932 CEST549844971879.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:42.195760012 CEST4971854984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:42.219254017 CEST549844971879.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:47.367078066 CEST4971954984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:47.390151978 CEST549844971979.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:47.905013084 CEST4971954984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:47.928586960 CEST549844971979.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:48.436286926 CEST4971954984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:48.459469080 CEST549844971979.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:53.229890108 CEST4972054984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:53.253185987 CEST549844972079.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:53.780492067 CEST4972054984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:53.803709030 CEST549844972079.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:54.311852932 CEST4972054984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:54.335309029 CEST549844972079.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:04:59.561793089 CEST4972154984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:04:59.585323095 CEST549844972179.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:05:00.093504906 CEST4972154984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:05:00.118935108 CEST549844972179.134.225.25192.168.2.7
                                                                                                    May 30, 2023 05:05:00.624818087 CEST4972154984192.168.2.779.134.225.25
                                                                                                    May 30, 2023 05:05:00.648344994 CEST549844972179.134.225.25192.168.2.7

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    May 30, 2023 05:03:04.193967104 CEST5083553192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:03:04.220006943 CEST53508358.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:03:09.763631105 CEST5050553192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:03:09.799726963 CEST53505058.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:03:15.148186922 CEST6117853192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:03:15.174299002 CEST53611788.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:03:20.493885040 CEST6392653192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:03:20.521481037 CEST53639268.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:03:25.785439968 CEST5333653192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:03:25.812330008 CEST53533368.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:03:31.181466103 CEST5100753192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:03:31.210273981 CEST53510078.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:03:37.036231995 CEST5051353192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:03:37.065052986 CEST53505138.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:03:42.286479950 CEST6076553192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:03:42.315392017 CEST53607658.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:03:48.027374983 CEST5828353192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:03:48.056211948 CEST53582838.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:03:55.814769983 CEST5002453192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:03:55.843626022 CEST53500248.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:04:01.830446959 CEST4951653192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:04:01.859366894 CEST53495168.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:04:07.995629072 CEST6267953192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:04:08.031418085 CEST53626798.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:04:13.533860922 CEST6139253192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:04:13.557497025 CEST53613928.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:04:18.690506935 CEST5210453192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:04:18.719341993 CEST53521048.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:04:24.381665945 CEST6535653192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:04:24.417123079 CEST53653568.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:04:30.628102064 CEST5900653192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:04:30.656935930 CEST53590068.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:04:35.869673967 CEST5152653192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:04:35.909228086 CEST53515268.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:04:41.106550932 CEST5113953192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:04:41.127481937 CEST53511398.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:04:47.337800980 CEST5878453192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:04:47.366252899 CEST53587848.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:04:53.208657980 CEST5797053192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:04:53.228923082 CEST53579708.8.8.8192.168.2.7
                                                                                                    May 30, 2023 05:04:59.529512882 CEST6460853192.168.2.78.8.8.8
                                                                                                    May 30, 2023 05:04:59.558573961 CEST53646088.8.8.8192.168.2.7

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                    May 30, 2023 05:03:04.193967104 CEST192.168.2.78.8.8.80xcdb3Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:09.763631105 CEST192.168.2.78.8.8.80x4e43Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:15.148186922 CEST192.168.2.78.8.8.80xb3e7Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:20.493885040 CEST192.168.2.78.8.8.80xbcd9Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:25.785439968 CEST192.168.2.78.8.8.80xb60aStandard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:31.181466103 CEST192.168.2.78.8.8.80x270cStandard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:37.036231995 CEST192.168.2.78.8.8.80x307Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:42.286479950 CEST192.168.2.78.8.8.80x3f35Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:48.027374983 CEST192.168.2.78.8.8.80xcf64Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:55.814769983 CEST192.168.2.78.8.8.80x670aStandard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:01.830446959 CEST192.168.2.78.8.8.80xbb1aStandard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:07.995629072 CEST192.168.2.78.8.8.80x1d1Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:13.533860922 CEST192.168.2.78.8.8.80x12efStandard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:18.690506935 CEST192.168.2.78.8.8.80x60a9Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:24.381665945 CEST192.168.2.78.8.8.80xfeddStandard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:30.628102064 CEST192.168.2.78.8.8.80x7369Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:35.869673967 CEST192.168.2.78.8.8.80x4b7fStandard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:41.106550932 CEST192.168.2.78.8.8.80x9e63Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:47.337800980 CEST192.168.2.78.8.8.80xf877Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:53.208657980 CEST192.168.2.78.8.8.80x9c82Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:59.529512882 CEST192.168.2.78.8.8.80x6791Standard query (0)googleusercontent.ddns.netA (IP address)IN (0x0001)false

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                    May 30, 2023 05:03:04.220006943 CEST8.8.8.8192.168.2.70xcdb3No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:09.799726963 CEST8.8.8.8192.168.2.70x4e43No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:15.174299002 CEST8.8.8.8192.168.2.70xb3e7No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:20.521481037 CEST8.8.8.8192.168.2.70xbcd9No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:25.812330008 CEST8.8.8.8192.168.2.70xb60aNo error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:31.210273981 CEST8.8.8.8192.168.2.70x270cNo error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:37.065052986 CEST8.8.8.8192.168.2.70x307No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:42.315392017 CEST8.8.8.8192.168.2.70x3f35No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:48.056211948 CEST8.8.8.8192.168.2.70xcf64No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:03:55.843626022 CEST8.8.8.8192.168.2.70x670aNo error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:01.859366894 CEST8.8.8.8192.168.2.70xbb1aNo error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:08.031418085 CEST8.8.8.8192.168.2.70x1d1No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:13.557497025 CEST8.8.8.8192.168.2.70x12efNo error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:18.719341993 CEST8.8.8.8192.168.2.70x60a9No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:24.417123079 CEST8.8.8.8192.168.2.70xfeddNo error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:30.656935930 CEST8.8.8.8192.168.2.70x7369No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:35.909228086 CEST8.8.8.8192.168.2.70x4b7fNo error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:41.127481937 CEST8.8.8.8192.168.2.70x9e63No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:47.366252899 CEST8.8.8.8192.168.2.70xf877No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:53.228923082 CEST8.8.8.8192.168.2.70x9c82No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false
                                                                                                    May 30, 2023 05:04:59.558573961 CEST8.8.8.8192.168.2.70x6791No error (0)googleusercontent.ddns.net79.134.225.25A (IP address)IN (0x0001)false

                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    High Level Behavior Distribution

                                                                                                    Click to dive into process behavior distribution

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:05:02:54
                                                                                                    Start date:30/05/2023
                                                                                                    Path:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Users\user\Desktop\IntelCpHeciSvc.exe
                                                                                                    Imagebase:0x400000
                                                                                                    File size:248832 bytes
                                                                                                    MD5 hash:6B4A5A412E90721FBA5170A25CAEFBD4
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000003.341781141.0000000002184000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000000.00000002.609863549.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                    Reputation:low

                                                                                                    General

                                                                                                    Target ID:1
                                                                                                    Start time:05:02:54
                                                                                                    Start date:30/05/2023
                                                                                                    Path:C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe"
                                                                                                    Imagebase:0x6c0000
                                                                                                    File size:207360 bytes
                                                                                                    MD5 hash:7F00E9819E4B205654B46E0090E6763E
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.629221700.000000001B800000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.630261931.000000001BD60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                    • Rule: NanoCore, Description: unknown, Source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000000.342421463.00000000006C2000.00000002.00000001.01000000.00000004.sdmp, Author: unknown
                                                                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.619633331.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, Author: ditekSHen
                                                                                                    • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\3582-490\IntelCpHeciSvc.exe, Author: unknown
                                                                                                    Reputation:low

                                                                                                    General

                                                                                                    Target ID:2
                                                                                                    Start time:05:03:08
                                                                                                    Start date:30/05/2023
                                                                                                    Path:C:\Windows\svchost.com
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:"C:\Windows\svchost.com" "C:\PROGRA~1\DHCPMO~1\dhcpmon.exe"
                                                                                                    Imagebase:0x400000
                                                                                                    File size:41472 bytes
                                                                                                    MD5 hash:36FD5E09C417C767A952B4609D73A54B
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: 00000002.00000002.580407779.0000000000409000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                    • Rule: MAL_Malware_Imphash_Mar23_1, Description: Detects malware by known bad imphash or rich_pe_header_hash, Source: C:\Windows\svchost.com, Author: Arnim Rupp
                                                                                                    • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: C:\Windows\svchost.com, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Neshta, Description: Yara detected Neshta, Source: C:\Windows\svchost.com, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_Neshta, Description: Detects Neshta, Source: C:\Windows\svchost.com, Author: ditekSHen
                                                                                                    Reputation:moderate

                                                                                                    General

                                                                                                    Target ID:3
                                                                                                    Start time:05:03:08
                                                                                                    Start date:30/05/2023
                                                                                                    Path:C:\Program Files\DHCP Monitor\dhcpmon.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\PROGRA~1\DHCPMO~1\dhcpmon.exe
                                                                                                    Imagebase:0xfd0000
                                                                                                    File size:207360 bytes
                                                                                                    MD5 hash:7F00E9819E4B205654B46E0090E6763E
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.403891013.00000000134B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.403372406.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                    • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.403372406.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.403372406.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, Author: Florian Roth (Nextron Systems)
                                                                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                                                                                    • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, Author: ditekSHen
                                                                                                    • Rule: NanoCore, Description: unknown, Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                    • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Program Files\DHCP Monitor\dhcpmon.exe, Author: unknown
                                                                                                    Reputation:low

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Executed Functions

                                                                                                      Function 00007FFDC2A9301D Relevance: 1.9, Strings: 1, Instructions: 656COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Ma!
                                                                                                      • API String ID: 0-3384484873
                                                                                                      • Opcode ID: 7c17fafa0414006ed4de7241490354b9b216d612c26c103e7ceed64136c3ad7f
                                                                                                      • Instruction ID: 137a2b5c6b7a19ce060cf5bb14e0cf24a9e3a7ca5fb29345671adc90aa799504
                                                                                                      • Opcode Fuzzy Hash: 7c17fafa0414006ed4de7241490354b9b216d612c26c103e7ceed64136c3ad7f
                                                                                                      • Instruction Fuzzy Hash: 88221871B0C6894FE759EF2988653797BE1EF5A301F5901BED48AC73D2DE6898028381
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9CD1D Relevance: 1.9, Strings: 1, Instructions: 656COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Ma!
                                                                                                      • API String ID: 0-3384484873
                                                                                                      • Opcode ID: be75301bacd4c7543e2e7ded1b7dd03ea7423afe37b021286ad91e62d72eaa04
                                                                                                      • Instruction ID: 26fa4ad2703d0f5dbe132e1f9c68653fddb6ebeea646999d93d0b54ac3c49903
                                                                                                      • Opcode Fuzzy Hash: be75301bacd4c7543e2e7ded1b7dd03ea7423afe37b021286ad91e62d72eaa04
                                                                                                      • Instruction Fuzzy Hash: 35220831F1CA494FE759AF3988643797BE1EF5A302F5404BEE44AC7393DE6898428781
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A93288 Relevance: 1.5, Strings: 1, Instructions: 227COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x^_!
                                                                                                      • API String ID: 0-2561082640
                                                                                                      • Opcode ID: f2f73823b34f39f94c48ae6b0d15b72b5fa932cf2585282604a102404179b5b2
                                                                                                      • Instruction ID: a1f698ac14645dc5df9274ccfa4b3018d8885873d9e43767aa4f6c80567b13a2
                                                                                                      • Opcode Fuzzy Hash: f2f73823b34f39f94c48ae6b0d15b72b5fa932cf2585282604a102404179b5b2
                                                                                                      • Instruction Fuzzy Hash: A361D9AAB4968B0FFB91EF39846537537E1EF5A301F4521B9D48ACB3D2DD68A8418340
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A997AD Relevance: .2, Instructions: 234COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6d5cb987d88e3276c80bcc9cecb3fd2649f3414f404ac4a5e18cb865f566b5b2
                                                                                                      • Instruction ID: 834c6face4e78154ec743ddd12a2644440f8822c3fa5144a7fae229eba4f3608
                                                                                                      • Opcode Fuzzy Hash: 6d5cb987d88e3276c80bcc9cecb3fd2649f3414f404ac4a5e18cb865f566b5b2
                                                                                                      • Instruction Fuzzy Hash: 8E811C70908A8D9EEBB5DF28885D7F93BE0EB19302F14416FD84DCB662EF7546818741
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9CFB9 Relevance: .2, Instructions: 224COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a3aea0e2c2fa4e929dbcc11591a3b116ed50f26ec48f467bf3c2253e2d3778aa
                                                                                                      • Instruction ID: acdf6bf0d7c482602a18656d4e6651a78a6e5a18ac356f50eef68b57a8fc6459
                                                                                                      • Opcode Fuzzy Hash: a3aea0e2c2fa4e929dbcc11591a3b116ed50f26ec48f467bf3c2253e2d3778aa
                                                                                                      • Instruction Fuzzy Hash: 8061D77AB49A470FFF95EF3988A43342AE1DF5A341B4430BAD44ACB2D2DD7C98468341
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A932B9 Relevance: .2, Instructions: 219COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c7b5b26467b5850e796241158430c5ea25adedaa415865abf8e641bd39d65fa7
                                                                                                      • Instruction ID: 6658ab4ec5334812442eb133ee2fb1cf0bb3e176aa17964e0027584306b9cb2e
                                                                                                      • Opcode Fuzzy Hash: c7b5b26467b5850e796241158430c5ea25adedaa415865abf8e641bd39d65fa7
                                                                                                      • Instruction Fuzzy Hash: AE511AAAB0968B0FFF91EF39846537527E1EF5A301B4521B9D48ACB2D2DD6898418340
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9DFDA Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: :3
                                                                                                      • API String ID: 0-295802547
                                                                                                      • Opcode ID: d3d84940ed42305bc5e43818d010612425745bc871d6c53321e7b84a6124b3a8
                                                                                                      • Instruction ID: f29643c48cc607e4b47780b3029e53cca09bc3f7f5b0667261bcc901b4ab51a0
                                                                                                      • Opcode Fuzzy Hash: d3d84940ed42305bc5e43818d010612425745bc871d6c53321e7b84a6124b3a8
                                                                                                      • Instruction Fuzzy Hash: B651C620B1890A4FEB65EF2948547BD72D2EF89341F95017DE44EC73D3EE6CA9468381
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A99059 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 8V`!
                                                                                                      • API String ID: 0-1434330793
                                                                                                      • Opcode ID: afa13ca85c9d521cc54ddd592eea472f449ca8c191f20f36471bbfeefd8032b5
                                                                                                      • Instruction ID: 8d4b485ebfab503fd433cdd27c23b658111176609b6ad5b2991cefd771efd169
                                                                                                      • Opcode Fuzzy Hash: afa13ca85c9d521cc54ddd592eea472f449ca8c191f20f36471bbfeefd8032b5
                                                                                                      • Instruction Fuzzy Hash: 0E513371A18A8E5EEBB5EF29886D3F936D1FF19302F10017BD80EC72A1EE7456858741
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9CEAD Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x^_!
                                                                                                      • API String ID: 0-2561082640
                                                                                                      • Opcode ID: 645fd31fb688ab217443eb5ff6423a32b5cfef4c60a9d6942c0e31a07f69fed0
                                                                                                      • Instruction ID: 32a1c79ef7b8426ccefc17e46ba0ffcb2c5e59c6675d3e7f5d0cc80eef969bca
                                                                                                      • Opcode Fuzzy Hash: 645fd31fb688ab217443eb5ff6423a32b5cfef4c60a9d6942c0e31a07f69fed0
                                                                                                      • Instruction Fuzzy Hash: 2021F531B0CF4A9FEB54AE2948E56357AD2EF1E311B4450BDD41EC72D2CDA8A8068681
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9CAEA Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x^_!
                                                                                                      • API String ID: 0-2561082640
                                                                                                      • Opcode ID: 94a3178b39e84a3ff7583fd426ced0f29d7b865c734c677ecf3dcc10a1da5233
                                                                                                      • Instruction ID: 3b394effedee6f50ac5bdbeb563fbfbed744c3638606ae6e2332393b76a5825a
                                                                                                      • Opcode Fuzzy Hash: 94a3178b39e84a3ff7583fd426ced0f29d7b865c734c677ecf3dcc10a1da5233
                                                                                                      • Instruction Fuzzy Hash: FC21B1BC688E0B4FFF61EB2BE4A463436D29FA931170536B9850BCB296CD79D8064300
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A92E00 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x^_!
                                                                                                      • API String ID: 0-2561082640
                                                                                                      • Opcode ID: 348972f4dc04f88186454f0ad0a61b7c8c938c9087b09c33017e7b97e24da445
                                                                                                      • Instruction ID: fbab64e5fecefc9f160015804df6f82de960024be3c6ad7ced3eefdd18108f11
                                                                                                      • Opcode Fuzzy Hash: 348972f4dc04f88186454f0ad0a61b7c8c938c9087b09c33017e7b97e24da445
                                                                                                      • Instruction Fuzzy Hash: 1C113C7D78490B8FFFA4EB2FE4E873426C69BA8315B053679900BCB395DD75D8024600
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A95C10 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 8_!
                                                                                                      • API String ID: 0-179443239
                                                                                                      • Opcode ID: d35960cede2651fb1ccf0e709c19a9e40a3cda18de48d9dbc3b4198812c8d9d8
                                                                                                      • Instruction ID: 696bb3c57d425166d5cc2e8ebcf7a482161c3763149ad694a82904fd67a777b4
                                                                                                      • Opcode Fuzzy Hash: d35960cede2651fb1ccf0e709c19a9e40a3cda18de48d9dbc3b4198812c8d9d8
                                                                                                      • Instruction Fuzzy Hash: 8801ED30A0CA484FA784FB2C8058A69B7E1EB69345B6405AEE54DC73A2EE2598418B41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9DE13 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x^_!
                                                                                                      • API String ID: 0-2561082640
                                                                                                      • Opcode ID: 9c72a08767bdc00bfded3fd51ddab052cbcd4dfa9d5be7c57af237af5fa64853
                                                                                                      • Instruction ID: 3baf421d984d8fb0812f866a2474c246f980f8cbef475b792fcef2491a8d0d1d
                                                                                                      • Opcode Fuzzy Hash: 9c72a08767bdc00bfded3fd51ddab052cbcd4dfa9d5be7c57af237af5fa64853
                                                                                                      • Instruction Fuzzy Hash: 0101F634719E0A4FEF98FF3980A9B7837E1EB69202B0010B8D50AC72A2DD64AC458B40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A92D99 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Ma!
                                                                                                      • API String ID: 0-3384484873
                                                                                                      • Opcode ID: 6e41e50eeae9d86ff30a95a3ba03a3fa3ec8a47ec62b906b377890db3a2a5beb
                                                                                                      • Instruction ID: 2cf6e12c62c5616012f46df19e75052e9c44c77fe462fdaf1d673399890fb6bf
                                                                                                      • Opcode Fuzzy Hash: 6e41e50eeae9d86ff30a95a3ba03a3fa3ec8a47ec62b906b377890db3a2a5beb
                                                                                                      • Instruction Fuzzy Hash: E2F01282B1EBC50FE78797381CB12546FA19B9A140F8500F79549CB2D7EC4818454351
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA3EB2 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: 9
                                                                                                      • API String ID: 0-2366072709
                                                                                                      • Opcode ID: 894a51ccc2de4c76663e59620d5d6eb37c2380f244d7a4da07c852e23326dab4
                                                                                                      • Instruction ID: 77e583195fa8d65ec6ca8d6d2997a1450495cfdbd8914ae4f52067ef7a241a95
                                                                                                      • Opcode Fuzzy Hash: 894a51ccc2de4c76663e59620d5d6eb37c2380f244d7a4da07c852e23326dab4
                                                                                                      • Instruction Fuzzy Hash: C9F0F421F0D7854FD766BB38546062D6AD2AF86240B5805BDC04ECB2D7EC68E9058380
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9412A Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x^_!
                                                                                                      • API String ID: 0-2561082640
                                                                                                      • Opcode ID: ff4ede414bdcab801b906bb1c99b0dfe5da43340893b1a4fd051c2a00c8424e0
                                                                                                      • Instruction ID: e2664824d5a12f205b3ad0ad7bfec08115a0f53ddcd0debf6f552cd2633d338a
                                                                                                      • Opcode Fuzzy Hash: ff4ede414bdcab801b906bb1c99b0dfe5da43340893b1a4fd051c2a00c8424e0
                                                                                                      • Instruction Fuzzy Hash: CAF09E3471890A8FEF98EB399078B3936D1EF65306F5150B8950AC73B5DE64D8058B40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA00A3 Relevance: .7, Instructions: 674COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d0f180f56dba3710aabff3894fe5fe9b1e46186c77f17c2149a882645677ac13
                                                                                                      • Instruction ID: 92a31697085bdd5642cd0c7ed53b48892906bfe772049cb783995129a23f9622
                                                                                                      • Opcode Fuzzy Hash: d0f180f56dba3710aabff3894fe5fe9b1e46186c77f17c2149a882645677ac13
                                                                                                      • Instruction Fuzzy Hash: 0222903071C6099FEB45EF2CC8A5AA977D1FF55315F6405B8E44AC7282DE68E842CBC1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA0F2E Relevance: .6, Instructions: 600COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ecbc488d7bea7c14212c70ac826d747a601369a3187dd10992b5328593a77979
                                                                                                      • Instruction ID: 54a79d10177f8044d21fc515bf8c15b51743401d42e7502e7689926836876cb3
                                                                                                      • Opcode Fuzzy Hash: ecbc488d7bea7c14212c70ac826d747a601369a3187dd10992b5328593a77979
                                                                                                      • Instruction Fuzzy Hash: BB02C030A1CA499FEB48EF28C495A7577D1FF55311F6005BDE44AC7292EE68E842CBC1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9BED9 Relevance: .4, Instructions: 383COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5226ba7dac38e8b915b0adb207914e541fe512136b032b9d57847660ecc96503
                                                                                                      • Instruction ID: ec23ccb644a918548388e73c5b9393c90b5ee52c66a90d0b893b9c281508cdd2
                                                                                                      • Opcode Fuzzy Hash: 5226ba7dac38e8b915b0adb207914e541fe512136b032b9d57847660ecc96503
                                                                                                      • Instruction Fuzzy Hash: 9EB1B761B1CE1A1FEB58BB2954A577972C2EF5C301F6000BEE44FC73D3ED68A8424681
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A95169 Relevance: .4, Instructions: 378COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b08a2ccc085cf7a4f9209829150fbd5ae01f8445dc99c47fba467953e81c6d5c
                                                                                                      • Instruction ID: b6e1e28166dd59eb262126dbcee548c5742a65edfc5bf385107227bf1fa2c2b2
                                                                                                      • Opcode Fuzzy Hash: b08a2ccc085cf7a4f9209829150fbd5ae01f8445dc99c47fba467953e81c6d5c
                                                                                                      • Instruction Fuzzy Hash: 3DC18D30A0CA0A9FDB44EF2DC495965B3E1FF59305B1006BDE44EC7692EB75F8928B80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA0694 Relevance: .3, Instructions: 301COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 78c2e04b07d95d1881a7b7687f265ded6d563b57bff7399b7ba7d726b0703928
                                                                                                      • Instruction ID: 07518440d2352fbaa54d4eb29e1a117d3109b7248f469d682b6498054630b52c
                                                                                                      • Opcode Fuzzy Hash: 78c2e04b07d95d1881a7b7687f265ded6d563b57bff7399b7ba7d726b0703928
                                                                                                      • Instruction Fuzzy Hash: 65919011B1CA4A4FF785EB3888A5BA5B7E1FF58310F5055BDE04EC3293EE68B8158780
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA548D Relevance: .3, Instructions: 295COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: cc3bd6275821682a35420460cb68024fd7950f6a8fa99eab90c132273ec13c1e
                                                                                                      • Instruction ID: 5acd87e8f5a783b3a78def7031799562144b5eb971db7e14a7111e7e658d45fd
                                                                                                      • Opcode Fuzzy Hash: cc3bd6275821682a35420460cb68024fd7950f6a8fa99eab90c132273ec13c1e
                                                                                                      • Instruction Fuzzy Hash: D3A1ED70A08B498FDBA5EF2CC498BA977E1FF69301F1445AED48DC7262DE35D8818B41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9B1A1 Relevance: .3, Instructions: 278COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: aa4aed1c326b79906a2ce469ad5e1003388484acaab26bb81c64b269e4dd3499
                                                                                                      • Instruction ID: 246e6ff6a7904a04f1419426e41dbc31d80765922916749902bf08d16d9451ab
                                                                                                      • Opcode Fuzzy Hash: aa4aed1c326b79906a2ce469ad5e1003388484acaab26bb81c64b269e4dd3499
                                                                                                      • Instruction Fuzzy Hash: 62A1BE70918A8D8FDFA5EF28C858BE83BE0FB29305F50456AD84DCB251DB759585CB40
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA193F Relevance: .3, Instructions: 266COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b16b3679554db01677a3d58f5bf0bd1abe4190711be32f6bc3e970ea56eb61f1
                                                                                                      • Instruction ID: de25017c3d9e36168c84306a86029f1df6d3ab5a3ef3ae1c8e7c769a36a16184
                                                                                                      • Opcode Fuzzy Hash: b16b3679554db01677a3d58f5bf0bd1abe4190711be32f6bc3e970ea56eb61f1
                                                                                                      • Instruction Fuzzy Hash: 8971063170D6869FE7069F3CC8A56A07BA0EF12315F6804F9D14ACF2D3D9A89886C791
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA14CD Relevance: .3, Instructions: 265COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: cf3efb9d4dfa542393e1cd1318154c8ab2ee6e6d07c367318353752a12bf2b10
                                                                                                      • Instruction ID: 4d959fa2745673c664649271351f2b018680ac1ea9e3337d39f7af2d4ccc0b98
                                                                                                      • Opcode Fuzzy Hash: cf3efb9d4dfa542393e1cd1318154c8ab2ee6e6d07c367318353752a12bf2b10
                                                                                                      • Instruction Fuzzy Hash: 8581AD3061CA098FEB09EF2CC4A9A6577D1FF59315F6415B8D54BC7293EA68E842CB80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9C4D5 Relevance: .2, Instructions: 242COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2c7a9edcf614f9348c77fb71fe52400e5169a719251f3ef24105288b433f5dcc
                                                                                                      • Instruction ID: b67f23889a50ba84c284e80c01332d01c29a5a90ff4c3c494953764d3cfa937c
                                                                                                      • Opcode Fuzzy Hash: 2c7a9edcf614f9348c77fb71fe52400e5169a719251f3ef24105288b433f5dcc
                                                                                                      • Instruction Fuzzy Hash: 2B712831A0CE551FEB057B3984696783BC1EF9A312F2429B9D55EC72E3DD58A8428381
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A927DD Relevance: .2, Instructions: 239COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c91de150d334164dfb6ae172e9c77061fe9c5c5c6c5e1da8c9dfa7552843510c
                                                                                                      • Instruction ID: 27c49219ddc9d6641be282c2e7bb29fddca5a064c1d2305052aa91ab01ff9b9f
                                                                                                      • Opcode Fuzzy Hash: c91de150d334164dfb6ae172e9c77061fe9c5c5c6c5e1da8c9dfa7552843510c
                                                                                                      • Instruction Fuzzy Hash: F161203190D7C94EE3A6AF3888197B5BFE0EF57221F0545BEC48DC71A3EE64544A8382
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A92B8A Relevance: .2, Instructions: 206COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2adbdcb7cc5b3957e74f07b177f2d916320aeefbdd485f9c3a21be063ad593ec
                                                                                                      • Instruction ID: 3dbc32d81a1fbe07129286750c6e7d8fb05cd508a0608b6f0fb227244a3b48a0
                                                                                                      • Opcode Fuzzy Hash: 2adbdcb7cc5b3957e74f07b177f2d916320aeefbdd485f9c3a21be063ad593ec
                                                                                                      • Instruction Fuzzy Hash: 04613E7050CB898FEBA0EF28C454BA57BE0FB69305F24456ED48DC7252EB31D585CB41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A90E76 Relevance: .2, Instructions: 201COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 15eeafad4a57a9bd8a23ddadbb9c98d6597e152c1c7805bc8439b44a3aca60e5
                                                                                                      • Instruction ID: 692c01c81b93394d519291cf57f8cf35fa3d42a11f590fd296b77f8940e00c6a
                                                                                                      • Opcode Fuzzy Hash: 15eeafad4a57a9bd8a23ddadbb9c98d6597e152c1c7805bc8439b44a3aca60e5
                                                                                                      • Instruction Fuzzy Hash: 2051D631708A495FEB85FB3C84A8A7977D1EFA9301F1504BEE44EC7293DE68D8428741
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A95190 Relevance: .2, Instructions: 198COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 679846c26629a49c7715d1330eec13b87bb3faabfb68aad06240ebbe2987badd
                                                                                                      • Instruction ID: 173499f33cbc12d93fddfcd9b6849add75de21bfc8e295858a76ef7bc0173799
                                                                                                      • Opcode Fuzzy Hash: 679846c26629a49c7715d1330eec13b87bb3faabfb68aad06240ebbe2987badd
                                                                                                      • Instruction Fuzzy Hash: 4C515E7160CA0A9FDB48EF1DC495875B3E0FF99316B50067EE44EC3252EA75F8928B81
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9F585 Relevance: .2, Instructions: 195COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 491416ef3f325f2b99c98e8b506265952f06eb55f627c496331ff916a2518b7e
                                                                                                      • Instruction ID: b9dd4e7893d723e455db68d80322da3eb52d9a15499d8ea59dc7680ffaba8b7f
                                                                                                      • Opcode Fuzzy Hash: 491416ef3f325f2b99c98e8b506265952f06eb55f627c496331ff916a2518b7e
                                                                                                      • Instruction Fuzzy Hash: 17619370A0C7894FDB85EF28C8A56A97BE1FF5D301F5401BAD44ECB292DA78E845C780
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9F2FF Relevance: .2, Instructions: 184COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ec0450ae48b1ff3b347cda7a91b8cb45aa0074234e142384f421502092330cae
                                                                                                      • Instruction ID: a7d7d58d43f1cc9fd396f95fe35e7961c6244730677a76d8600f9235af692df8
                                                                                                      • Opcode Fuzzy Hash: ec0450ae48b1ff3b347cda7a91b8cb45aa0074234e142384f421502092330cae
                                                                                                      • Instruction Fuzzy Hash: FF51D861F0CA4A4FEB54AF2994652BA77D1FF9D311F1041BAD01EC7292DEACB84287C1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A942DA Relevance: .2, Instructions: 183COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0d72aa8f47a47b16f5697db0e0a70883d54518343c94798f2faf5ee972a36a33
                                                                                                      • Instruction ID: b72f25d7942e2a0f9c7271d1ff54e62b8bea431b12f52e66b2a7763825ca7779
                                                                                                      • Opcode Fuzzy Hash: 0d72aa8f47a47b16f5697db0e0a70883d54518343c94798f2faf5ee972a36a33
                                                                                                      • Instruction Fuzzy Hash: 6E51A310B18E1A4FEB64EF29489537E62C2EF98341F55417DE04EC72D6EEACE94283C1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA51AC Relevance: .2, Instructions: 178COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 60690aed1c5284ca6808a7bea30878c3da91457d6aaec2d34227114c0a1f84cf
                                                                                                      • Instruction ID: a697a6a5af65ee6f8336270262dfeb317bcb62414ee1d4c86312fef982b65007
                                                                                                      • Opcode Fuzzy Hash: 60690aed1c5284ca6808a7bea30878c3da91457d6aaec2d34227114c0a1f84cf
                                                                                                      • Instruction Fuzzy Hash: 7F51C630F1CA4A8EFB589E28886577977D0EF55312F7005BAD41EC32D2DDE8E8408AD5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9721D Relevance: .2, Instructions: 169COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 749dc1254fad2dace5e283fd1e9e41caaccce72ed0be998bdc0bef4b5d63db69
                                                                                                      • Instruction ID: 41ee667bbd8f3866d9e0c1a1ca0e78d34e2c28355c7f1c81b245705679ba7abb
                                                                                                      • Opcode Fuzzy Hash: 749dc1254fad2dace5e283fd1e9e41caaccce72ed0be998bdc0bef4b5d63db69
                                                                                                      • Instruction Fuzzy Hash: 1641F761F5C64A4FE754BE355CA627976D0EF49301F5000BEE84FC73D3EC58A80642A1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A91B71 Relevance: .2, Instructions: 162COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2210cbd846e1cbde1be70130a7b29cad1fada605ab46b5b76fab8852248f0ea9
                                                                                                      • Instruction ID: aafbc630f7afe2855cc8202bcc8bd8b0901631c0af380d5cb56a87a2a26131fd
                                                                                                      • Opcode Fuzzy Hash: 2210cbd846e1cbde1be70130a7b29cad1fada605ab46b5b76fab8852248f0ea9
                                                                                                      • Instruction Fuzzy Hash: 98516171A18A8C4FEBA5EF2888997F93BD0FF1A311F10017FD84EC72A2DA7455458741
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A92013 Relevance: .2, Instructions: 159COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f0a811ba16d54507f2a7805b9020e7bd2fdd8af3add7ee1c0ff928f70eba921d
                                                                                                      • Instruction ID: 91461e152dbacd80d1741dc70b08404e1b54bfd048a9b5d5fadcd01d50f0192d
                                                                                                      • Opcode Fuzzy Hash: f0a811ba16d54507f2a7805b9020e7bd2fdd8af3add7ee1c0ff928f70eba921d
                                                                                                      • Instruction Fuzzy Hash: FB51157160CA498FDB95EF28C498BA43BE1FF6A301F5500AAD44ECB2A3DB35E845C751
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A90F66 Relevance: .2, Instructions: 159COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f58826cd0d1ae51338bf8a0542a0256f325c32084351e2e90677038bbb40db87
                                                                                                      • Instruction ID: 846aceb3950e2fde5492afd699e840e8ab49a298d9b38d0a26e088cc8a00b225
                                                                                                      • Opcode Fuzzy Hash: f58826cd0d1ae51338bf8a0542a0256f325c32084351e2e90677038bbb40db87
                                                                                                      • Instruction Fuzzy Hash: 10411821B1CA4A0EE7057F3844A56B977C0EF59312F5005BDD04EC72D3ED9DA8468382
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9ABD3 Relevance: .2, Instructions: 157COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0674bbed11f080102e2ca3c03e0c1d19b5c2b8e659f5328c100cebfe3fbdfe15
                                                                                                      • Instruction ID: 8e49ab95549fa9035c321948a022434c5c7cb784e67582460f9b4c45255beaac
                                                                                                      • Opcode Fuzzy Hash: 0674bbed11f080102e2ca3c03e0c1d19b5c2b8e659f5328c100cebfe3fbdfe15
                                                                                                      • Instruction Fuzzy Hash: 49414221F1CA1A0FFB59BA3948A63B862C1EF59712F5405BED54FC73D3EC68A84242C1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA269D Relevance: .2, Instructions: 155COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5bf89de3de501bd2314975db006fc11ed79602419cc2350014ec9afdd344ddc5
                                                                                                      • Instruction ID: 3c06fb52e4893e6fcdb908214241a64d295320b8398e5284829b4c344003f3c7
                                                                                                      • Opcode Fuzzy Hash: 5bf89de3de501bd2314975db006fc11ed79602419cc2350014ec9afdd344ddc5
                                                                                                      • Instruction Fuzzy Hash: 4B411402B0DBC64FF7568B384C7A235BFA1EF5B261B1801FAD089CB2D3D9686C158781
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9A7DE Relevance: .2, Instructions: 154COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c79363412cf9248b24335a3c10186889323fe8a40bdddea5e7f2ba24040e93eb
                                                                                                      • Instruction ID: 21b27d8831f1814ee5c605130208ab06a4b3df2527cd6808503ad110f6557c01
                                                                                                      • Opcode Fuzzy Hash: c79363412cf9248b24335a3c10186889323fe8a40bdddea5e7f2ba24040e93eb
                                                                                                      • Instruction Fuzzy Hash: 74413F20B1CA494FE759BF29889577977E1FF49301F5044BAE40DC72A3DE78A94287C1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9B6C5 Relevance: .1, Instructions: 149COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 586ef01879f01338e5640ab9e6a425b30484cc2b06f38a04a4976d0080198124
                                                                                                      • Instruction ID: 62752f42325c56142ca9e2a6204ba261abbc7365286735494d777b06f61f4a9d
                                                                                                      • Opcode Fuzzy Hash: 586ef01879f01338e5640ab9e6a425b30484cc2b06f38a04a4976d0080198124
                                                                                                      • Instruction Fuzzy Hash: 9241F461A1DBC54FE782EF38C464626BFE1EF56301F0546BAE049CB2A3EF249845C742
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9D66D Relevance: .1, Instructions: 148COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c068b8b49497a696b651f7107db8c244ede4c677574207000a161752ab1bc8d5
                                                                                                      • Instruction ID: c6dd5dc180d0244ec4d743b834905c56e2a96a015260534a3e432c23dfd1c325
                                                                                                      • Opcode Fuzzy Hash: c068b8b49497a696b651f7107db8c244ede4c677574207000a161752ab1bc8d5
                                                                                                      • Instruction Fuzzy Hash: 2841E931F1CA498FE759EF2488602797BA1EF5A342F5400BAE44EC7393DE79A9418390
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA4FB2 Relevance: .1, Instructions: 147COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 79791ea45467af6962f177ba2513bd5c84aff0827c73c54eb7ad0814fd0948d3
                                                                                                      • Instruction ID: 2a5f6635f577f40d2bb0a4df1baf63a12d21bc45189e0342351c5f052aa29b4b
                                                                                                      • Opcode Fuzzy Hash: 79791ea45467af6962f177ba2513bd5c84aff0827c73c54eb7ad0814fd0948d3
                                                                                                      • Instruction Fuzzy Hash: BD415251F0894E4FEB98AB285CA63B8B2D2EF99300F5444BEE04EC32D3DD69A8494741
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9396D Relevance: .1, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ed0c996af7ba5e5ba0b679f15ab9d36f45c6bdee96821588d4cc14181ad84cf4
                                                                                                      • Instruction ID: 410cf59b3885ce3a2e85e879d623ce3c94e295eca00bcc094b1a92951552646a
                                                                                                      • Opcode Fuzzy Hash: ed0c996af7ba5e5ba0b679f15ab9d36f45c6bdee96821588d4cc14181ad84cf4
                                                                                                      • Instruction Fuzzy Hash: 4B41D722F0C64A4FE759EF2988602797BF1EF56341F5900BAD44BC72D3DE69A9028740
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9FA15 Relevance: .1, Instructions: 142COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b7faf43759f9e84a48e27eb8b03ad9333f7e0e1e0d5409d229963495204a5f41
                                                                                                      • Instruction ID: bbe90f22c63d13b335d8cb2390c5fbadeb1ace7d3304fe8758fff48319f4a9d9
                                                                                                      • Opcode Fuzzy Hash: b7faf43759f9e84a48e27eb8b03ad9333f7e0e1e0d5409d229963495204a5f41
                                                                                                      • Instruction Fuzzy Hash: 3241D571B0DA494FE354EF2998A5279B7D1FF48301F00067AD48AC7796DEA8F84687C2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A90F51 Relevance: .1, Instructions: 140COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 101e92f948666dd75a5184d2cf7b31192419c1601503a91d0336c66a8b8011a4
                                                                                                      • Instruction ID: 4ca212389570176c8707c8b6873d92e499c7f9cde5003cee3aa27d7d136476e6
                                                                                                      • Opcode Fuzzy Hash: 101e92f948666dd75a5184d2cf7b31192419c1601503a91d0336c66a8b8011a4
                                                                                                      • Instruction Fuzzy Hash: ED314A2171C68A0EF7057F3C54A52B967C0EF59312F1005BEE44EC72D3ED9DA8068382
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9BD91 Relevance: .1, Instructions: 138COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5ff8984d186f862f84dee68adbb46994641b2ace675394844160804a67adc4a4
                                                                                                      • Instruction ID: b6f1b058e079ecc4661fe7060df6ad2bf8e1de0297c0aec9a73c89b3aaadbab7
                                                                                                      • Opcode Fuzzy Hash: 5ff8984d186f862f84dee68adbb46994641b2ace675394844160804a67adc4a4
                                                                                                      • Instruction Fuzzy Hash: A741E131A1CA4D4FDB54EF29C8A55B677E4FF5A701B04057EE88EC7392DE64A8028BC1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9B959 Relevance: .1, Instructions: 135COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 26c4228c6640dd8941d800a54cae22944ec7bc92d9cb95742362bcc68c4781b4
                                                                                                      • Instruction ID: d27dc60298cfa4f3a4a10ef3444cccd9d7f3cbceaafec8355dad14c3b3ded4fc
                                                                                                      • Opcode Fuzzy Hash: 26c4228c6640dd8941d800a54cae22944ec7bc92d9cb95742362bcc68c4781b4
                                                                                                      • Instruction Fuzzy Hash: AE514871518A498FDBA0EF2CC088B5AB7E0FB69311F50456EE48DC7265EB31D585CB42
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA5C49 Relevance: .1, Instructions: 134COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8353509d55dae30b7a9b7eb9cb648f12a0954135eef807667ee11b8efeb47681
                                                                                                      • Instruction ID: b91889e62f39a614b3f3d199908d59a07d323f1dcb0bede2d1cf06f1d3c3bb48
                                                                                                      • Opcode Fuzzy Hash: 8353509d55dae30b7a9b7eb9cb648f12a0954135eef807667ee11b8efeb47681
                                                                                                      • Instruction Fuzzy Hash: 4431B520F1CA4A8FE764DF28886877977D1EF55312F344676D40AC73D6DE68E8008AC4
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A95C91 Relevance: .1, Instructions: 134COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1e3caf5decc4d0d337d8f7ca5429a805dbc99ad4cff28ef16dc44944aa0d163b
                                                                                                      • Instruction ID: e3d69e173748e1685231915023c0aa8b0369f38ea59ab60b6c1ee96b15a88897
                                                                                                      • Opcode Fuzzy Hash: 1e3caf5decc4d0d337d8f7ca5429a805dbc99ad4cff28ef16dc44944aa0d163b
                                                                                                      • Instruction Fuzzy Hash: BF419621B0CB894FE785EB388465769BBE1EF59301F5504FED04EC72A3DE68E8458701
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA6A38 Relevance: .1, Instructions: 133COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c67dfff02fe2fa83c4a65856b7f1f90002c5e7081c393fc8245fd7a2aec59cfe
                                                                                                      • Instruction ID: 8ddeeaa3c9e2041b5c7dc18b96daef1c970b2e9b6aeec160d4a623642c0f9836
                                                                                                      • Opcode Fuzzy Hash: c67dfff02fe2fa83c4a65856b7f1f90002c5e7081c393fc8245fd7a2aec59cfe
                                                                                                      • Instruction Fuzzy Hash: F9416260609A868EEF95DF2884A47A53BD0EF55306F6840F9CD4DCF2E7CB789844CB61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9684D Relevance: .1, Instructions: 130COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: afa3817a44787b34650ac870cc72895904dff004973dc27c35e8600b7f40b428
                                                                                                      • Instruction ID: a92e0c29335f6acf56179359123d29ee7cc3984e96f36ebd81d3ae1a5a7f23b7
                                                                                                      • Opcode Fuzzy Hash: afa3817a44787b34650ac870cc72895904dff004973dc27c35e8600b7f40b428
                                                                                                      • Instruction Fuzzy Hash: 2531C560F1C68A4FEB89AF3848652B97AD1EF45611F0544BEE40EC72A3EE6C95068780
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9058D Relevance: .1, Instructions: 128COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4810944603c989c0db264f5d642a91f571101db34ec163b2317bb29fd1b9c5b3
                                                                                                      • Instruction ID: 93ad4d4983c562cc4ef97c07f0772c3c2ec9e83b3615e3ab3e46c466f83e754b
                                                                                                      • Opcode Fuzzy Hash: 4810944603c989c0db264f5d642a91f571101db34ec163b2317bb29fd1b9c5b3
                                                                                                      • Instruction Fuzzy Hash: CC311021B1891E8FEB98FF29D4A577873E1FF99341F5104B9D10EC7291DEA9E8018740
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A941D1 Relevance: .1, Instructions: 127COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 12fd76330da78fd88990bb916dfe480865c9c6224da9ef86e31667fff4126341
                                                                                                      • Instruction ID: 8cc8823e7720c3aa4f76ba0a7e051bd2eba2a4d561f12b80fea1e359438e6364
                                                                                                      • Opcode Fuzzy Hash: 12fd76330da78fd88990bb916dfe480865c9c6224da9ef86e31667fff4126341
                                                                                                      • Instruction Fuzzy Hash: B5412B71A1C64A4FEB95EF2984753B977D0FF4A346F5101BAE40EC7282DEE858068780
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A92BE8 Relevance: .1, Instructions: 126COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4596bc67f67429931246dc2e46dc53f54d6ed4c6352972a62950aeecbc5bfa7d
                                                                                                      • Instruction ID: 4a8d80e18c8e35c2f4ef41a729a8fd7813aa6606332b011151475e08a0ba6e9d
                                                                                                      • Opcode Fuzzy Hash: 4596bc67f67429931246dc2e46dc53f54d6ed4c6352972a62950aeecbc5bfa7d
                                                                                                      • Instruction Fuzzy Hash: 9B419C7550CB488FDB95EF28C084B96B7E0FB69315F2445AEE48DC7211DB32D586CB42
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9DED5 Relevance: .1, Instructions: 124COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: beccb7d86c2954a7fc10e30dece208e86fbda4b0e9689d0cb59a62a2a68d5440
                                                                                                      • Instruction ID: f535883b6b1add7c63cb525173a4c1cfe13ce1de74396a9ef444fec06daac700
                                                                                                      • Opcode Fuzzy Hash: beccb7d86c2954a7fc10e30dece208e86fbda4b0e9689d0cb59a62a2a68d5440
                                                                                                      • Instruction Fuzzy Hash: 9F31E831E1C9494FEB99FF2984653B93BE0EF19352F5001BBE44EC72D2DE6858458781
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA4D0C Relevance: .1, Instructions: 122COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7fa040d903aa92407581f2fa24f6c7e0e4aae478c265aa3839e400b64967ccb5
                                                                                                      • Instruction ID: 753fad230f79acc4b850ec5d0c8fcf30342fc5a1c8025804ba7b25c48ccbbac7
                                                                                                      • Opcode Fuzzy Hash: 7fa040d903aa92407581f2fa24f6c7e0e4aae478c265aa3839e400b64967ccb5
                                                                                                      • Instruction Fuzzy Hash: 2A41A821B0C6868EEB55DE2894607F97B90EF55311F2445B6E04EC72D2DFE8A9048BC1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9C861 Relevance: .1, Instructions: 122COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8a57f6e544bb5c482ba9465fb08def7ffcb95fe5e1a4e73d51d2a0c8e5889f4c
                                                                                                      • Instruction ID: 7a425c3dd582164be205cfedc0bc658fce25c32c27ae68bdd9f582d9906f95a8
                                                                                                      • Opcode Fuzzy Hash: 8a57f6e544bb5c482ba9465fb08def7ffcb95fe5e1a4e73d51d2a0c8e5889f4c
                                                                                                      • Instruction Fuzzy Hash: 2531C412F0DB891FE795AB3848A92752BE2DF9F210B4940FAD04EC73A3DD5C6C068351
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A97DC7 Relevance: .1, Instructions: 121COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a99eb768fb77a3e75a31c0291e1ea4f82f0a2f2fb9c6183859dbcf21d2c0ddec
                                                                                                      • Instruction ID: 136a1e09c3527a24dce54fe14b7e8e1bd7b9ce3566044d5ea3082cca066a18c9
                                                                                                      • Opcode Fuzzy Hash: a99eb768fb77a3e75a31c0291e1ea4f82f0a2f2fb9c6183859dbcf21d2c0ddec
                                                                                                      • Instruction Fuzzy Hash: 5D41F561A0D7C54FE7539B3898647757FA0AF47300F5900EAD089CF293DA689D0AC7A2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA59F9 Relevance: .1, Instructions: 115COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1cf91cd52e5bdc33977169614145d46c3dbe7b1835e636be6f438f27338fa137
                                                                                                      • Instruction ID: 92d207a9eb3c693c0a4b5bd6bdcd8995611564ca7cd70f5e59de4612aab95957
                                                                                                      • Opcode Fuzzy Hash: 1cf91cd52e5bdc33977169614145d46c3dbe7b1835e636be6f438f27338fa137
                                                                                                      • Instruction Fuzzy Hash: 77318271A0DA8D8FEBA4EF18C898BE837D0FF29301F10017AE44EC7252EA74E5458B44
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA39A4 Relevance: .1, Instructions: 115COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e624afbbfe10047800f25acc94672b47f6b6062162dd7ef40a175be565d245a4
                                                                                                      • Instruction ID: 9ffba7a24337f6310697046dd3c03050d0ec8867f5c788bb706c4470cb364045
                                                                                                      • Opcode Fuzzy Hash: e624afbbfe10047800f25acc94672b47f6b6062162dd7ef40a175be565d245a4
                                                                                                      • Instruction Fuzzy Hash: F941C871A1DA4D8FEB85DF2884997B93BE0FF19345F6001BAE40FCB291DB7995418B80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9740B Relevance: .1, Instructions: 111COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 392d62b0cecb443da91d4ea6278bb6f2f3ee6505cb15e2718e955d8b65993a86
                                                                                                      • Instruction ID: b32a0b9bbf2a27f7de4b968f5255b5b9a36d6911460aec54f7fc41190df22bd9
                                                                                                      • Opcode Fuzzy Hash: 392d62b0cecb443da91d4ea6278bb6f2f3ee6505cb15e2718e955d8b65993a86
                                                                                                      • Instruction Fuzzy Hash: FB31127090968D9FEB81EF38C4596A97FE0EF26301F5401AAE84DC7252EB34D585C781
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9A800 Relevance: .1, Instructions: 108COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6c874012c96650f72e955ea60eb56b3b95d52568011fff3f2150fd33094c5474
                                                                                                      • Instruction ID: 1ff8db380b62bd71c17af15caa22a017165f57ca20562901149502ed5f8cf864
                                                                                                      • Opcode Fuzzy Hash: 6c874012c96650f72e955ea60eb56b3b95d52568011fff3f2150fd33094c5474
                                                                                                      • Instruction Fuzzy Hash: 2D314E30B18A094FEB98FF29889577976E1FF49301F5045BAE40EC7292DE78AD4287C1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A92A53 Relevance: .1, Instructions: 106COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3e059b893b81e6c556b7428b3504d528bf1dad619d62c3bf9fd67171e674e283
                                                                                                      • Instruction ID: d7afb09767465c4cc801792ce09959bfcb893cf36bd71cf68e7588317f34850e
                                                                                                      • Opcode Fuzzy Hash: 3e059b893b81e6c556b7428b3504d528bf1dad619d62c3bf9fd67171e674e283
                                                                                                      • Instruction Fuzzy Hash: E931E761A0DB8A4FE7A1EB2884547A87BD0FF56311F5444BEC08DC7293EE25555AC382
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A97A1A Relevance: .1, Instructions: 105COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 21a9a002d51c40ea30f21065c16439a78320fbdc3c07a7a2f0a2eab5cc9e903c
                                                                                                      • Instruction ID: 84b49c63b22478135953c33b7cc44ad95b94dca587876b332a016bb9eb71d489
                                                                                                      • Opcode Fuzzy Hash: 21a9a002d51c40ea30f21065c16439a78320fbdc3c07a7a2f0a2eab5cc9e903c
                                                                                                      • Instruction Fuzzy Hash: 1A31B361A0D7C94FEB46EB388C646697FA1EF46300F5501FAD04ECB2E3DE285905C361
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A95EC5 Relevance: .1, Instructions: 103COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 209a9e947bcdd7088fb8356472429e1695feaf3533b3def7ac8c36dc8dc8d1a2
                                                                                                      • Instruction ID: 2f58e4de56527c6507a0e71513c1b167be531efad9bd6dfba6f129672ec698e3
                                                                                                      • Opcode Fuzzy Hash: 209a9e947bcdd7088fb8356472429e1695feaf3533b3def7ac8c36dc8dc8d1a2
                                                                                                      • Instruction Fuzzy Hash: 9331B47171C7894FE381DF2884A4766BBE0EF8A301F4005BEE48AC72A2DF68D805C752
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA6BC1 Relevance: .1, Instructions: 103COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9df34383a1f3d8540cb3ac2ad6e2ea8b024ff9a1426dd829165156aac76a0acc
                                                                                                      • Instruction ID: fb44110f621603fe0ce9409456cafbaed0a4746eef8f5a378bd1b0c3c40079bc
                                                                                                      • Opcode Fuzzy Hash: 9df34383a1f3d8540cb3ac2ad6e2ea8b024ff9a1426dd829165156aac76a0acc
                                                                                                      • Instruction Fuzzy Hash: 8631C271909A8D9FEF85DF28C4597E93FE0FF15341F2441ABE809CB262DB7495408B80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A95DDE Relevance: .1, Instructions: 102COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 393a0e85ba3860bb71b28545da2b83049d01884e8bfacba011ce26e42d4894be
                                                                                                      • Instruction ID: 8d62c30559a141d2aad5a32f4993b72b3d5191cd88a97abad2f16ada6cd1bb87
                                                                                                      • Opcode Fuzzy Hash: 393a0e85ba3860bb71b28545da2b83049d01884e8bfacba011ce26e42d4894be
                                                                                                      • Instruction Fuzzy Hash: 7C319330B08A498FE785EF2CC0A9665BBE1FF69301F5841BEE44DC7392EE65D8418B41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA6A50 Relevance: .1, Instructions: 102COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 35157df48cb026a423cac4af09eaaf6fa426a18bed7c887deacc2500bc29f3ed
                                                                                                      • Instruction ID: 450f5431feb4465c16af8e1114912d9d3424a5848168f75b7214ada642c9a72f
                                                                                                      • Opcode Fuzzy Hash: 35157df48cb026a423cac4af09eaaf6fa426a18bed7c887deacc2500bc29f3ed
                                                                                                      • Instruction Fuzzy Hash: 04314F60609A464EFF95DF28C4A47A57AD0EF05306F5840F9CD4DCE2E7CBB89448CB61
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9A15D Relevance: .1, Instructions: 102COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d6be1638c3317e1794d068894b352e6f042345f94ff63aeff2080fd99490fd90
                                                                                                      • Instruction ID: 8f67e0eb32e6108911121d70bfc7808f37a8fbf39c1e7786f83aac46e13594dc
                                                                                                      • Opcode Fuzzy Hash: d6be1638c3317e1794d068894b352e6f042345f94ff63aeff2080fd99490fd90
                                                                                                      • Instruction Fuzzy Hash: 3D31B161B0C68A0FEB56AB3948747757BE0AF47301F1900FBD48ECB2A3E96899058351
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A91509 Relevance: .1, Instructions: 101COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3ce6ac4003eb4206c3baa1b65fbc737cae08eb12bb6ded41f61f507c59e4bd24
                                                                                                      • Instruction ID: 7eac392bcd8244079aaaf0918c0da59d2204bce81f09f9b655633ac69b28d3b3
                                                                                                      • Opcode Fuzzy Hash: 3ce6ac4003eb4206c3baa1b65fbc737cae08eb12bb6ded41f61f507c59e4bd24
                                                                                                      • Instruction Fuzzy Hash: 3421F430708A884FEB45AB3C84A9B643BE1FF5A711F1500FDE08ECB293DE68D8468341
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A910FE Relevance: .1, Instructions: 101COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c1911b5cfca2d80cb983488cb9c850d6729cf6571c93a6b7e019240cae1870db
                                                                                                      • Instruction ID: ecbe701e2cbbfefa5a04cfa6404c52a3a932c55ba94860b68251fa044aed3a34
                                                                                                      • Opcode Fuzzy Hash: c1911b5cfca2d80cb983488cb9c850d6729cf6571c93a6b7e019240cae1870db
                                                                                                      • Instruction Fuzzy Hash: 1E112714B0C64A1FF744663C48962F537D0EB4A226F2401BDE189C72E3E888584B8381
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9CD40 Relevance: .1, Instructions: 101COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 59614fc68a257dd1ba588c329c3062fabceb611972705e6c7cb369cda1511608
                                                                                                      • Instruction ID: fb2319761394b1bfc04975d4fb9b41724fdf399f023ed2e3b6ab68e6eb835ffd
                                                                                                      • Opcode Fuzzy Hash: 59614fc68a257dd1ba588c329c3062fabceb611972705e6c7cb369cda1511608
                                                                                                      • Instruction Fuzzy Hash: A731E671A1CB4C5FEB68DF18D8627FA7BA0EF0A311F50016EE44AC3291DB75684687D1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A93040 Relevance: .1, Instructions: 100COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 137fe2c56d4fe7d827e673b219de61d34011f74e6b53f1436cc4e8e6fcf78724
                                                                                                      • Instruction ID: 2dc6341d2d9842e5de82df1588a078e0d44f95c3b4294b2a142fcc993425832f
                                                                                                      • Opcode Fuzzy Hash: 137fe2c56d4fe7d827e673b219de61d34011f74e6b53f1436cc4e8e6fcf78724
                                                                                                      • Instruction Fuzzy Hash: 8331A271A0C64C4FEB68DF19D8667BA3BE0EF06311F10017AE54EC7291DB75A80687D1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA00BA Relevance: .1, Instructions: 100COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 546509276dd25a41168597818bff112b24f34db5c13d426a587625a31aba35f0
                                                                                                      • Instruction ID: 8990aefac15f32bed726549e21b9be2b510113a97de9b84abdc1af82cb1df559
                                                                                                      • Opcode Fuzzy Hash: 546509276dd25a41168597818bff112b24f34db5c13d426a587625a31aba35f0
                                                                                                      • Instruction Fuzzy Hash: 0421D611B0DA894FE785AB3C586A7B57BD1EF9A311F5400FAE44DC72D3ED649C018781
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9FE0D Relevance: .1, Instructions: 100COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 301c8656ed2a5bba0bda0180edb5ed42e44737235c341cc00b5ba09abfcf050b
                                                                                                      • Instruction ID: 7391c27cb4f63ec5a14e1a08cf72fcb4156f007b895c8285e5633c2e9820b97d
                                                                                                      • Opcode Fuzzy Hash: 301c8656ed2a5bba0bda0180edb5ed42e44737235c341cc00b5ba09abfcf050b
                                                                                                      • Instruction Fuzzy Hash: 9421E411B0D68A4FEB55AB39886173D7BD4AF0A202F0400FBD44ECB2D3DD68A8014751
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9B5E9 Relevance: .1, Instructions: 97COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9e675a7ea38bca8a6d7b62253d67cb73c5034a73e81b28e52620d6efa1c67cc6
                                                                                                      • Instruction ID: 861012fc850e134a7b0b9e9f9081ab81ad9be7595a1515ecc3bf612179fec8b9
                                                                                                      • Opcode Fuzzy Hash: 9e675a7ea38bca8a6d7b62253d67cb73c5034a73e81b28e52620d6efa1c67cc6
                                                                                                      • Instruction Fuzzy Hash: A221F920B2CA4A5FD761DF2A94A12B577D0FF49312B1109BAE10EC72D1CEB4B40283C0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA0E77 Relevance: .1, Instructions: 92COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8d0b1f39796c173cc570b2b5938f7045e2e59ce7eed68a32d323fd409f808928
                                                                                                      • Instruction ID: 70d63da0cefd54228e6509f04196c83789620b6198768aad4f287ba3ea5cdae9
                                                                                                      • Opcode Fuzzy Hash: 8d0b1f39796c173cc570b2b5938f7045e2e59ce7eed68a32d323fd409f808928
                                                                                                      • Instruction Fuzzy Hash: AB212B22B0DB894FF3469B3888E13647F92EF46315F6844FAD049CB2D7DD6A684A8741
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9A3C7 Relevance: .1, Instructions: 92COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6b836e3d679ce56b0be806075f161125b729b3d50d9d931c7b7ddaa284dfc6b0
                                                                                                      • Instruction ID: 746ac3b18b55393d12682c83f422b5ae57e03405f820502da2ef06f7555db1bf
                                                                                                      • Opcode Fuzzy Hash: 6b836e3d679ce56b0be806075f161125b729b3d50d9d931c7b7ddaa284dfc6b0
                                                                                                      • Instruction Fuzzy Hash: 41217406B0DB850FE78AA73948B92786BA29F9A24174940FAD44DC73E3ED587C068352
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A96383 Relevance: .1, Instructions: 91COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9cddf738819ced4006ae1157979c8d338f375854939d70cfbf8dbd5e6e7750be
                                                                                                      • Instruction ID: 74857fdb213c4151ea0289284d3a0e80f916e4ae36e3bf2df14f6a33c6f8b9fa
                                                                                                      • Opcode Fuzzy Hash: 9cddf738819ced4006ae1157979c8d338f375854939d70cfbf8dbd5e6e7750be
                                                                                                      • Instruction Fuzzy Hash: EC317330A0C7898FDB65EF1898957E877E0FF4A315F1401BAD84DCB262DF39A9028785
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A90908 Relevance: .1, Instructions: 90COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0edfe6967b7c768f89f2cf70542809f71ef110f7672db907f9e592d018d46c97
                                                                                                      • Instruction ID: 0680a8efb5074da2c9a7e7b16deb3a64019c77a5c99f22efafb14cfa6e486969
                                                                                                      • Opcode Fuzzy Hash: 0edfe6967b7c768f89f2cf70542809f71ef110f7672db907f9e592d018d46c97
                                                                                                      • Instruction Fuzzy Hash: 1721C642F19E960FF755A62E18653B81682DFE9251F1841FAE05DC33E7DD5D2C0643C1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A91AE5 Relevance: .1, Instructions: 88COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 186c349a65a8cb55397ec9a7401670b331075b1a689530125c977f09a6132ded
                                                                                                      • Instruction ID: 44509bb1c24f3ec07ad7f4773953521a0f5ff307d978b3c23fa4ef14851866ca
                                                                                                      • Opcode Fuzzy Hash: 186c349a65a8cb55397ec9a7401670b331075b1a689530125c977f09a6132ded
                                                                                                      • Instruction Fuzzy Hash: 3F21807190DBC88FCB41DF2CC458655BBF0FFAA301B1505AEE089CB262D765D945C742
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9802A Relevance: .1, Instructions: 88COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: fbe23e003065cf7de26114ce8b48f38bf607695e3c2b726e96aa574d124d49a4
                                                                                                      • Instruction ID: 17c97672c3ad9f6de7360ed622cb1ea44845f084311333ee408726e4c32e0df4
                                                                                                      • Opcode Fuzzy Hash: fbe23e003065cf7de26114ce8b48f38bf607695e3c2b726e96aa574d124d49a4
                                                                                                      • Instruction Fuzzy Hash: B1114221B1CE190BEB4CBB7D589A6B9B2C1EF9C711B5404BEE00FC32E3EC59A8054285
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA3540 Relevance: .1, Instructions: 86COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: df2427ad5ec967b3e7d142487a9e1682aa9bf45be2494d66fbe8db22ca520f25
                                                                                                      • Instruction ID: 7bc52c2cb31da9149bdf912edae9d3690ef7d52a584eafe3a0fe1916c9b99411
                                                                                                      • Opcode Fuzzy Hash: df2427ad5ec967b3e7d142487a9e1682aa9bf45be2494d66fbe8db22ca520f25
                                                                                                      • Instruction Fuzzy Hash: CC21F511F0D68A4FE785EF3C887527A6AD1EF4A245BA504BEE04EC73D3EC98A9404791
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A90DD7 Relevance: .1, Instructions: 86COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7945fb3a6f3e520ae047af3a1c74e614abb5d2428621942a9ebe56a063ad9549
                                                                                                      • Instruction ID: 7befb1615bd72aeccd5562f0d6bcbaf3210d248c29b9464e9efada2288a1e33c
                                                                                                      • Opcode Fuzzy Hash: 7945fb3a6f3e520ae047af3a1c74e614abb5d2428621942a9ebe56a063ad9549
                                                                                                      • Instruction Fuzzy Hash: A0114062F1D7891EF7566A351C6B1B12BD0DF52262F1504BFE089C3593EDDA680382C1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA2B2C Relevance: .1, Instructions: 85COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ba9a9da68e07d9851a06ca41e14e580c090a2581873a157762044be892102a87
                                                                                                      • Instruction ID: 8d6d38750fcb0cd84806ec971d3fe2fb19b49beb7db8ea53045d3bdcd0774df7
                                                                                                      • Opcode Fuzzy Hash: ba9a9da68e07d9851a06ca41e14e580c090a2581873a157762044be892102a87
                                                                                                      • Instruction Fuzzy Hash: 8B21E41270EB894FD7569B285C782207FE0EF5B21271A00FBD84DCF2E3C9585C548792
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA2FF4 Relevance: .1, Instructions: 83COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 757f77fe5d45d014381704a293f1d0a77ae8f42b24f0a903636d0b35ab1b5d94
                                                                                                      • Instruction ID: 9e40288682c15b7395b5204b29bf8fff182b2c1b71a66689c604678e9c74bab1
                                                                                                      • Opcode Fuzzy Hash: 757f77fe5d45d014381704a293f1d0a77ae8f42b24f0a903636d0b35ab1b5d94
                                                                                                      • Instruction Fuzzy Hash: 2D214F30B189469FDB98DF29D4A1E3477E1FF58302B6541B5D409CB69ACA68FC80CBC1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A95B65 Relevance: .1, Instructions: 83COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 117dfc961b93f9bbbe794559d37862011238a445f6f67332372f0a48bd17dd5a
                                                                                                      • Instruction ID: d9d92f7a7f80bfcc7fce32a94f34c1cfbca580dd6ff8efaba8bdfb2db757803a
                                                                                                      • Opcode Fuzzy Hash: 117dfc961b93f9bbbe794559d37862011238a445f6f67332372f0a48bd17dd5a
                                                                                                      • Instruction Fuzzy Hash: 8A11937150D7844FE755EF24C869BA67FE0EF56201F0405AFE48CCB293EA649445C751
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9DB25 Relevance: .1, Instructions: 81COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 70c78a05086102afc5f42fbe668eafa1183e8424e748e7271a98041aa322e2df
                                                                                                      • Instruction ID: 8a89089791e3c6f3c0fbaf8f3971b9374e89f90d50c90afaa7dbbb4242dfd272
                                                                                                      • Opcode Fuzzy Hash: 70c78a05086102afc5f42fbe668eafa1183e8424e748e7271a98041aa322e2df
                                                                                                      • Instruction Fuzzy Hash: D4110056B0DB860FE7566B340CF51603F609F4B21271514FAD549CB2D3DD9D2C46C391
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A97155 Relevance: .1, Instructions: 81COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 346cf0607e73fae70aa832bd0cef875710d8c3924d58ad25d190d354dc7e0df1
                                                                                                      • Instruction ID: 264bd5de33758ffbd4b7f0c16c84aa49414de9130d54eb95e54a81658f8c5fef
                                                                                                      • Opcode Fuzzy Hash: 346cf0607e73fae70aa832bd0cef875710d8c3924d58ad25d190d354dc7e0df1
                                                                                                      • Instruction Fuzzy Hash: 79214F42E0DBC94FEB46A73848756652FB19F4B24079900EAD04ECF3E7ED186D49C321
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A97B75 Relevance: .1, Instructions: 79COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 32ff24386dd4956ce34f1c8b86940ac0d1f322e97dab1edde85ee7c92960a418
                                                                                                      • Instruction ID: 32e43c28c589a40fd6f4684aef78fea054e926dbe438ef0eeef698d6b87a2fa2
                                                                                                      • Opcode Fuzzy Hash: 32ff24386dd4956ce34f1c8b86940ac0d1f322e97dab1edde85ee7c92960a418
                                                                                                      • Instruction Fuzzy Hash: 4C113AB2A0C65D1FEB99DF186C562F63BD0EB45221F0601ABE54ECB192DA64594283D0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA30B9 Relevance: .1, Instructions: 79COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d13949134009e255164ffe09cf83812321f36073a8777e1d5c372755c0ca88d1
                                                                                                      • Instruction ID: a7126442c7c20470c701e6e917206ba6af6c191744c6bd5a0438d8a7ec8b7ca9
                                                                                                      • Opcode Fuzzy Hash: d13949134009e255164ffe09cf83812321f36073a8777e1d5c372755c0ca88d1
                                                                                                      • Instruction Fuzzy Hash: D111B171608B888FEB45DF28C4996A17BE0FF5D300F1841BAE84CCB263EA69D9448B41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA3DB9 Relevance: .1, Instructions: 79COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 351d4e3c1ee31dcb975a921215f2a14cbc040ca9959e48968047b981df7aea79
                                                                                                      • Instruction ID: 7f9e2e96a121c5c891f756ee6e0f006aacd7c15d2245375cd72ecfe09ec9cc03
                                                                                                      • Opcode Fuzzy Hash: 351d4e3c1ee31dcb975a921215f2a14cbc040ca9959e48968047b981df7aea79
                                                                                                      • Instruction Fuzzy Hash: 1A219001B4C6860BFB46BB7C40752BD5A828F85202F5846BBF48DCA3D7CE9C580293D2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A92B29 Relevance: .1, Instructions: 78COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7671e56fda7ea2cb034771a3769e1f5c51dcb14f6f117344384ea7a862ec72f5
                                                                                                      • Instruction ID: 10ab5f3dba500ff8f44916724c54f08123de62481c2f182d30a1d33b970dd8d5
                                                                                                      • Opcode Fuzzy Hash: 7671e56fda7ea2cb034771a3769e1f5c51dcb14f6f117344384ea7a862ec72f5
                                                                                                      • Instruction Fuzzy Hash: 09219A71A0D7859FDB46EF38C4944A47BE0EF0A314B5445BEF48ACB253EA35A806CB16
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A98E45 Relevance: .1, Instructions: 78COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b1b4976b8010949d719c818bcadb6a761ef678832260d56beca93e06a6b0d787
                                                                                                      • Instruction ID: 74bbfd6bccb698b64bca150f2a86139cc0d2b7ec43bcdaa96aecad052fd81443
                                                                                                      • Opcode Fuzzy Hash: b1b4976b8010949d719c818bcadb6a761ef678832260d56beca93e06a6b0d787
                                                                                                      • Instruction Fuzzy Hash: 9211C812F0E7C60FE7199B795CB66B47B90DF5662270D05FBD088CB1E3D948680683D1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A96736 Relevance: .1, Instructions: 76COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5e4e32f9eccbbbf10561ff5b8e44b77b4ab2f99cbb34071870e2d48b98f703fa
                                                                                                      • Instruction ID: c3c14bec69a675aacfefcd800491bb00dfab4b0b7899804dbad40075969b0138
                                                                                                      • Opcode Fuzzy Hash: 5e4e32f9eccbbbf10561ff5b8e44b77b4ab2f99cbb34071870e2d48b98f703fa
                                                                                                      • Instruction Fuzzy Hash: 18118220E0865D5FEB55AF2888693BA3BD1FF49751F0442BEE44DC32A2DE7C5A018381
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A91DBD Relevance: .1, Instructions: 76COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c189e8607741a6e51dddf4d7cb3efc34d6d19152d97ad528dd9c50ebeba8414b
                                                                                                      • Instruction ID: 8ae29391b777bc8fd3480fd9a7dd25975274943627f38697313d51722b3d074f
                                                                                                      • Opcode Fuzzy Hash: c189e8607741a6e51dddf4d7cb3efc34d6d19152d97ad528dd9c50ebeba8414b
                                                                                                      • Instruction Fuzzy Hash: 48112C30B189098FEF68EF2898957B873D1FB58311F1005BAD41EC3296DE64A8528B81
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA6478 Relevance: .1, Instructions: 74COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 65417f72a65c9192975001bb14c3923e555d9c6e80a27bae41a2185f17109376
                                                                                                      • Instruction ID: 4b4e12b1feec98f78d73204e47d318bb2cb624c05057e2759167e39752b72d27
                                                                                                      • Opcode Fuzzy Hash: 65417f72a65c9192975001bb14c3923e555d9c6e80a27bae41a2185f17109376
                                                                                                      • Instruction Fuzzy Hash: 4721026170C7898FEF26DF2898517E93BD0EF56311F1001BFD08EC7292EA68D1418B82
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA5F8F Relevance: .1, Instructions: 73COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7f7b1a5bd983200a25569e7406115b81834fe14e3bf62d204b95c5a635466e47
                                                                                                      • Instruction ID: e903e2074e94a08687d0bff9358acefae375f57c648bf3e64cf266f12d1cbaab
                                                                                                      • Opcode Fuzzy Hash: 7f7b1a5bd983200a25569e7406115b81834fe14e3bf62d204b95c5a635466e47
                                                                                                      • Instruction Fuzzy Hash: D8116021B1C6814AE76D6B1894517B973D1EF85316FA0457EE0CEC32D3DE6CB4428A86
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9B3A7 Relevance: .1, Instructions: 73COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1dd1672f4de87e41a6c32aaa91dfae58ca74dbf2674958bec65fc5953d0e2e58
                                                                                                      • Instruction ID: b08d1a00ec6d68273da7179a4d9db9692a9760f73543f0ab1961306b46ead9e9
                                                                                                      • Opcode Fuzzy Hash: 1dd1672f4de87e41a6c32aaa91dfae58ca74dbf2674958bec65fc5953d0e2e58
                                                                                                      • Instruction Fuzzy Hash: 43312A35A185498FDB65EF14C8D06E977A0FF19301F5041BAE80ECB392DF74A986CB80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9AC8C Relevance: .1, Instructions: 72COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 44a54718fd66d859cdc96f8d9d2f5404bf54df0867fc0dc84ea38b2207f42f82
                                                                                                      • Instruction ID: 8b25fe85c685e5a01c1747edc30572e4702d6202b4c3aee01e85fe80906a71d8
                                                                                                      • Opcode Fuzzy Hash: 44a54718fd66d859cdc96f8d9d2f5404bf54df0867fc0dc84ea38b2207f42f82
                                                                                                      • Instruction Fuzzy Hash: A4118221F0CA2A0AEB5C7E2954A63B86281DF45322B60057FD55FC32D3DC6DA84345C4
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A93E25 Relevance: .1, Instructions: 71COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9cdc46481331543215e57da99a81727ad5c693c5981d839265774b007e4e1d4c
                                                                                                      • Instruction ID: 165fbdf430495f4417b3b1fa62bc0344baf90b9ba6b4d37791ad64586862a68b
                                                                                                      • Opcode Fuzzy Hash: 9cdc46481331543215e57da99a81727ad5c693c5981d839265774b007e4e1d4c
                                                                                                      • Instruction Fuzzy Hash: E201D842E0E7C51FEB4657740CE51B12FA19F57211B2915FAE44ACB2E3DC892847C381
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA2D20 Relevance: .1, Instructions: 69COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f0d2f23326e2d5b66f02df7b5619011476b46ec6c9969d891bb35f595b3ae71e
                                                                                                      • Instruction ID: 940d67074d4a7308385ab784313f896c90c5b469eb3a5510e48760b5994e715d
                                                                                                      • Opcode Fuzzy Hash: f0d2f23326e2d5b66f02df7b5619011476b46ec6c9969d891bb35f595b3ae71e
                                                                                                      • Instruction Fuzzy Hash: 51012113B0D9490FFB599A3858662B97BC0DF45212F5404BBF98DC31C3DC9D68114BC1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA2DA4 Relevance: .1, Instructions: 67COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 989e3db41f988be5a1646446fe6156ffa0d6cda33e55999eef4b5940cf49b630
                                                                                                      • Instruction ID: 9fc2af2097083494b09e2f5765d2c58969c414c18e8f42c0e289def737ff9f0b
                                                                                                      • Opcode Fuzzy Hash: 989e3db41f988be5a1646446fe6156ffa0d6cda33e55999eef4b5940cf49b630
                                                                                                      • Instruction Fuzzy Hash: C911C662B0EA8A0FF759AE6858A126477C1EF89351F5400BEE48DC3383DDA96C464785
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A90BC4 Relevance: .1, Instructions: 66COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 35b7cb90a743e414f1ead0504f5ccfb0ce68ac7e55b7a28fd155b51fd9764149
                                                                                                      • Instruction ID: 3c3d4ae843aa5656e5d710649c6c9d85140f3ac8e68ecc0610520f14a37e1d54
                                                                                                      • Opcode Fuzzy Hash: 35b7cb90a743e414f1ead0504f5ccfb0ce68ac7e55b7a28fd155b51fd9764149
                                                                                                      • Instruction Fuzzy Hash: C411F201F8D75B9AE6047BB908B20FC26909F45342B4002B7F04DC63D3DCAC744482AB
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9C339 Relevance: .1, Instructions: 65COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: dabb760ce17dbd04841f8f91fc1532212bc01a2afcbeed31b557015405879a78
                                                                                                      • Instruction ID: 86366465d233ae9f7d62518ecfbda92da7782ef821c8061310d80b952c29e485
                                                                                                      • Opcode Fuzzy Hash: dabb760ce17dbd04841f8f91fc1532212bc01a2afcbeed31b557015405879a78
                                                                                                      • Instruction Fuzzy Hash: 7C118652F1CB551AF719AA295C627B9B7C2EF49311F9000FEE00EC72D3ED5D78064286
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9582D Relevance: .1, Instructions: 65COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c36348f1a2dc9ed58c420e4ae36a4084164ba7f7103e7caa6fac6e8b6b46c82a
                                                                                                      • Instruction ID: 953132a5f71faab9429cde738f6a9ced301a6ed3e63a8ec6bafa70e2ba271a6f
                                                                                                      • Opcode Fuzzy Hash: c36348f1a2dc9ed58c420e4ae36a4084164ba7f7103e7caa6fac6e8b6b46c82a
                                                                                                      • Instruction Fuzzy Hash: 5A01F751B0D3851FE345AA7454676F67B90EF03262F0502BEE88AC7393ED89590782D2
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9C9C6 Relevance: .1, Instructions: 64COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 59dfb4b96959cbde668a03903ae2108d605d5704dbe24b7eee5f1f16acbc70b5
                                                                                                      • Instruction ID: 704e0a562b4d3ee534e48d009497e972b1af19726f7c5fc7caef6390405b173f
                                                                                                      • Opcode Fuzzy Hash: 59dfb4b96959cbde668a03903ae2108d605d5704dbe24b7eee5f1f16acbc70b5
                                                                                                      • Instruction Fuzzy Hash: 6511619260FBC41FEB47AB3548766207FA1AF17246B4940EBE085CF2E3DD996C09C791
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA4F06 Relevance: .1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8f70600a87adf1cc6c6e19a8807dc54d69b22db1b636a63804bdbd08853607fe
                                                                                                      • Instruction ID: 085b5bfd0ec96eb083d48f02c5e409d366d97d8df11dcd1bf88c95df88516f2e
                                                                                                      • Opcode Fuzzy Hash: 8f70600a87adf1cc6c6e19a8807dc54d69b22db1b636a63804bdbd08853607fe
                                                                                                      • Instruction Fuzzy Hash: 9B115112F58A4A0AFB98FB384C957F822A2EFA8210F54547DA41EC32D7ED78B9194700
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A92BB5 Relevance: .1, Instructions: 61COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 552a5826d8db0543ff53bee50383ca521c99e0725557b2a6592c9877019f1cad
                                                                                                      • Instruction ID: bb78826221b1b49c5e3aa02521414fe835ffb096854b2a7b6c04c73c18f09e5d
                                                                                                      • Opcode Fuzzy Hash: 552a5826d8db0543ff53bee50383ca521c99e0725557b2a6592c9877019f1cad
                                                                                                      • Instruction Fuzzy Hash: DF112611A0DBC74FEB56BB3884245643FE0AF16311B6844FED089CB1D3ED68A906C352
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A91A5B Relevance: .1, Instructions: 61COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9b940dfe510ae368fb5613bf4be7492562756a495f8d93ad51aac8943c4dc6ff
                                                                                                      • Instruction ID: a727d1351a4ffd2547cb34c611005c5fd7c9f0c29ac4a641be5b8625e114398d
                                                                                                      • Opcode Fuzzy Hash: 9b940dfe510ae368fb5613bf4be7492562756a495f8d93ad51aac8943c4dc6ff
                                                                                                      • Instruction Fuzzy Hash: 7B112521B08A498FDF85EB3C8498B6837E1DF9A311F5514F9940ECB397DD28DD498711
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A96605 Relevance: .1, Instructions: 60COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 06775dac0c93c5b9457e77ca9508cf9816a2f40575a38a2553393ff357eaf4ce
                                                                                                      • Instruction ID: d7aa7bcb4b1fe3614f9214e038479d494c61ee9d36698cdc6e9eab8ac484220d
                                                                                                      • Opcode Fuzzy Hash: 06775dac0c93c5b9457e77ca9508cf9816a2f40575a38a2553393ff357eaf4ce
                                                                                                      • Instruction Fuzzy Hash: 7801F211A0C6C40FE746AB3988787643FE1AF8A605F4900FAD988CB3A3EE5C48468352
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A958D6 Relevance: .1, Instructions: 59COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8e3476d0dc2e295fd49cc741460ada7c943231120a68f050727d0af31b450f6a
                                                                                                      • Instruction ID: f63c3e0651e82b1d9dfaec66e867543fe7bc4132fa838514eee2545a78d3f6ea
                                                                                                      • Opcode Fuzzy Hash: 8e3476d0dc2e295fd49cc741460ada7c943231120a68f050727d0af31b450f6a
                                                                                                      • Instruction Fuzzy Hash: 9201F192F5D74A0AF309776858A31B973E0EFA6262F54107EE44EC33D3EC4DAD024282
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A90AC0 Relevance: .1, Instructions: 58COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9cd4b6e7cc66303164003e13405f980afb7789e294ce8b210c96ff4de99e16aa
                                                                                                      • Instruction ID: 7ea65c3d90c69df201a8db63eb7af8bcf91e021d81ad8bead96eaa15a6d89f98
                                                                                                      • Opcode Fuzzy Hash: 9cd4b6e7cc66303164003e13405f980afb7789e294ce8b210c96ff4de99e16aa
                                                                                                      • Instruction Fuzzy Hash: 8A01B111B1CA490FD7A1EB2D0CA967877D2EFA9611B1941FAD04DC32B7ED186C068382
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A960CC Relevance: .1, Instructions: 57COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e1142ad23f13aad2bc38c1d726e8ab4436703d983831621a9c43a4afe082c175
                                                                                                      • Instruction ID: aab030a0e32b50fe6a7154e8af9f7427ddc9d4135db22fba1f7d502563ed42bc
                                                                                                      • Opcode Fuzzy Hash: e1142ad23f13aad2bc38c1d726e8ab4436703d983831621a9c43a4afe082c175
                                                                                                      • Instruction Fuzzy Hash: 7F11917060D6C88FDB61EF24C895BE87BA0EF06301F1401AEC48ECB263DA385549CB41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A98405 Relevance: .1, Instructions: 56COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1034678e05959461a3285fbffb563403c6b04ff899ce9e76cdd3cb8cf7afde2f
                                                                                                      • Instruction ID: 65fb77f07361d81afab418cd1c12ce60cae7c506403d86b28d8ff27f1a177e26
                                                                                                      • Opcode Fuzzy Hash: 1034678e05959461a3285fbffb563403c6b04ff899ce9e76cdd3cb8cf7afde2f
                                                                                                      • Instruction Fuzzy Hash: 30F02B2160E6C60FDB059B258C197A53F60AF57211F0908FBC844CB293D6486585C391
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA05FE Relevance: .1, Instructions: 55COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 684918fca382923a5ff597b4f66c5619047ca4b2d2e0d6672998d722c7abfbe8
                                                                                                      • Instruction ID: df21c5b92c24cbb950805e310b70474e4c9465886b06ed3be9d849cdb24630ef
                                                                                                      • Opcode Fuzzy Hash: 684918fca382923a5ff597b4f66c5619047ca4b2d2e0d6672998d722c7abfbe8
                                                                                                      • Instruction Fuzzy Hash: 71014430318E0C4FCA84AF5C649A77873D2EB9D322F1401BEE00EC3393CE6598458782
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA6340 Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1ca71f9edc42fcafa04b9a56d27e06cde261eb488f4da903068bda609ce1211d
                                                                                                      • Instruction ID: 5956c78f274d9fdb24348ee29424cdd84e23ebe6bc9ebcb0abcea15e235a90f3
                                                                                                      • Opcode Fuzzy Hash: 1ca71f9edc42fcafa04b9a56d27e06cde261eb488f4da903068bda609ce1211d
                                                                                                      • Instruction Fuzzy Hash: 33F04C02B0C5950EEF2149AA18703F53B90CF57627F2900F3C969DB2E3D84888419BF1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A984D5 Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 55316ffd4e8bb7d479cc56dcbe4a688eeecd8bc6be20691dd323f7df4d0a05b3
                                                                                                      • Instruction ID: 08fb0f251f064f9a7d325e25d4adc4e37c34c1d01dd2a999c4e62a7f5e0d5a59
                                                                                                      • Opcode Fuzzy Hash: 55316ffd4e8bb7d479cc56dcbe4a688eeecd8bc6be20691dd323f7df4d0a05b3
                                                                                                      • Instruction Fuzzy Hash: 57F0E201B0E6C50FE715A77558AA7607B909F47212B1900FAD448CB2D3ED8CA9458351
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA3629 Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1a58699843f27a49f187c8c7199563d411ba282cb503724608b3fc3b502cd745
                                                                                                      • Instruction ID: e9effe35cb9fa34f3cd4a8acd55a2f74ce519ace6d072d6267648a94029cf44e
                                                                                                      • Opcode Fuzzy Hash: 1a58699843f27a49f187c8c7199563d411ba282cb503724608b3fc3b502cd745
                                                                                                      • Instruction Fuzzy Hash: FA01F522B0D5494EE365AB2898363B87B91EF46341F7500FAD44FCB7E3ED5929068782
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9FF65 Relevance: .1, Instructions: 52COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c85f111c1d77310a4a68ae5333ed6147be15cf7370283ab680b3ba32c73cbac5
                                                                                                      • Instruction ID: 5c3da55e9fdc38cd91c533a6e03e879d5f7bae135708547f4fcdc409ecaced81
                                                                                                      • Opcode Fuzzy Hash: c85f111c1d77310a4a68ae5333ed6147be15cf7370283ab680b3ba32c73cbac5
                                                                                                      • Instruction Fuzzy Hash: 6301F962A097441FEB85A7685869BE53FE1DF1E700F0A00E6E44CCF3D3DC685D458361
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A96E00 Relevance: .1, Instructions: 52COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 46637d0bb37275028e5382e7552c9489407682aa29799ed3c30bea7813436ac2
                                                                                                      • Instruction ID: 0c2c42a69994848971fa6642b77a4e063f137e38169c110190cd5c9a7ac682b3
                                                                                                      • Opcode Fuzzy Hash: 46637d0bb37275028e5382e7552c9489407682aa29799ed3c30bea7813436ac2
                                                                                                      • Instruction Fuzzy Hash: 47F0447090DB885FE784EF28885DA367FE4FB5A201F00066FE989C6162EA6098818752
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A92A8A Relevance: .1, Instructions: 51COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b3df7b6cbf7dd1168e52eef395c89b0525eba716bc2dae424a9d3b815e109f0d
                                                                                                      • Instruction ID: b5af17045623b18c3427fc01e3715e0bb51bab0a08816a8e1980f4331142e4e3
                                                                                                      • Opcode Fuzzy Hash: b3df7b6cbf7dd1168e52eef395c89b0525eba716bc2dae424a9d3b815e109f0d
                                                                                                      • Instruction Fuzzy Hash: 62118861D08B894EF3A1FB2484587A9B6E0EF99201F50047BC88DC7266EE3465948751
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA6CE9 Relevance: .1, Instructions: 51COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 68e15d3dbb79363ec770af23182757128f03d95505790b136efb9af041999c34
                                                                                                      • Instruction ID: db3e4a36980866f86286ab3ca8eddddcc90b654709bb5c4e186c8fbd85a05f62
                                                                                                      • Opcode Fuzzy Hash: 68e15d3dbb79363ec770af23182757128f03d95505790b136efb9af041999c34
                                                                                                      • Instruction Fuzzy Hash: 14012852B1EB0BCFEF549D1804211B97380EF08646B24057AD85DC32B1EC9DF5015EC1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A93EE4 Relevance: .0, Instructions: 48COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 28c0384cb1591ef09bc98689f8a61c269f572bcbed91e1965dfc3df4bcddeb1b
                                                                                                      • Instruction ID: 6be8d288f17e14b8be365038ebd48d4b1e8c2af2538814ed186cb4933d5c696d
                                                                                                      • Opcode Fuzzy Hash: 28c0384cb1591ef09bc98689f8a61c269f572bcbed91e1965dfc3df4bcddeb1b
                                                                                                      • Instruction Fuzzy Hash: A8F0F616B0C9560FE7A4B77914A92B423D0EF58223F0400BBD54DCB2E2ECC95C460391
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA0B8A Relevance: .0, Instructions: 48COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d2456e7afad39a0b33c5328088ce22280f02be0ee15c28a2cb6e0a6027d4b3f2
                                                                                                      • Instruction ID: 9ceb251a7e546c316b1c4aa25d8e2c31dc988f930c723449f74dfd377dd4a457
                                                                                                      • Opcode Fuzzy Hash: d2456e7afad39a0b33c5328088ce22280f02be0ee15c28a2cb6e0a6027d4b3f2
                                                                                                      • Instruction Fuzzy Hash: 21F0E0027599450BE31D1D9D9CF32B87291EBCA226364117FD59BC6787DC1DC54B8240
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA0531 Relevance: .0, Instructions: 46COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 802c4acf746a05ced91554726f091c05613496ab80b9f93bbf86af1f7ed3db77
                                                                                                      • Instruction ID: 05e7ab3734111e602a7ec843b6ac7b42eacfff1a878ea9cedf3f0b6045d4710f
                                                                                                      • Opcode Fuzzy Hash: 802c4acf746a05ced91554726f091c05613496ab80b9f93bbf86af1f7ed3db77
                                                                                                      • Instruction Fuzzy Hash: CBF06211F1CC4A0FA7C8F62C086A6B933C2DFA8651B5441BDD41EC33D7ED4C28024281
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A95F9D Relevance: .0, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a3df015005dd3f2ddca81e7e742b97019b6df5b78e41c754283ef7fd16f3455b
                                                                                                      • Instruction ID: ce7fb0984b4c7aaab6d1a22d71a3d7a4b0a027602d3407d2a8fe7b3e266aabf9
                                                                                                      • Opcode Fuzzy Hash: a3df015005dd3f2ddca81e7e742b97019b6df5b78e41c754283ef7fd16f3455b
                                                                                                      • Instruction Fuzzy Hash: 4901813470CA4A5FD381EF18D49066AB7E1EF98341F40157AF08EC32A1DE64D9428782
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA1892 Relevance: .0, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e80df4792a507b4fe3a20eb7550e978d06aab3ee733d007ca9a3403d5054ffde
                                                                                                      • Instruction ID: efbda0d15d769bb3dc0690ea9d1c5112b265b0b0545cae14f0488afae7a62e3a
                                                                                                      • Opcode Fuzzy Hash: e80df4792a507b4fe3a20eb7550e978d06aab3ee733d007ca9a3403d5054ffde
                                                                                                      • Instruction Fuzzy Hash: 8B012874A097408FDF49DF28D4DAA213BA1EF19311B1601E8DD4ACF28BDA64EC51CBC1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A909D9 Relevance: .0, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bbc1afcf763293ecc260986c71f2c242b4725ec5d55941b257ab1da9ea0f54de
                                                                                                      • Instruction ID: f1b425d5e6d6cdcc934e9ceeb5a9ee71ce2e1d9b89447f68633a01d98459865f
                                                                                                      • Opcode Fuzzy Hash: bbc1afcf763293ecc260986c71f2c242b4725ec5d55941b257ab1da9ea0f54de
                                                                                                      • Instruction Fuzzy Hash: FCF08C2550F7D02FD7066B7598AA6A13FA0AF03251F1985EAE084CB1A3D9A8054AC391
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A97F45 Relevance: .0, Instructions: 43COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d46051c54a7c7020642712540d79886237799da6a56f3e184e751f626db97632
                                                                                                      • Instruction ID: c965085c442dc4da6054db2baff70cdbeeec6d4fd4253a94eed0d8f014c5d1aa
                                                                                                      • Opcode Fuzzy Hash: d46051c54a7c7020642712540d79886237799da6a56f3e184e751f626db97632
                                                                                                      • Instruction Fuzzy Hash: 01F02164B18E0D0FE754BF5958A01B97390FF48229F0043BBD41ED33C3DE69A5154390
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A91B10 Relevance: .0, Instructions: 41COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 52f7239ccc20dff2b79b14fea55f347cda3affa3142bae34213b0b03a782fcab
                                                                                                      • Instruction ID: 4997e144d0edf7be654062ecd897a7da58f206e36015574fcfb042b4299771eb
                                                                                                      • Opcode Fuzzy Hash: 52f7239ccc20dff2b79b14fea55f347cda3affa3142bae34213b0b03a782fcab
                                                                                                      • Instruction Fuzzy Hash: 07F07970908B888F9B94EF1CC04866ABBF0FBA9316F504A2FE58CC3220DB75D545CB42
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9658D Relevance: .0, Instructions: 40COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2320533e963829fff6eac0d96be9718d070fe33eda400c2a31a623032dbee8a2
                                                                                                      • Instruction ID: 250d5268c65e002797231fe66f044761d3a57bbfee6ea188e48a44acf41dee68
                                                                                                      • Opcode Fuzzy Hash: 2320533e963829fff6eac0d96be9718d070fe33eda400c2a31a623032dbee8a2
                                                                                                      • Instruction Fuzzy Hash: 78F0E94070D7D90FEB061F3548A86343FA09F43513F4900F7E448CE2A7DE8C48058352
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9A36E Relevance: .0, Instructions: 39COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e6533c8f4b78b449deb6436a31a191749bf35339910e6781c03ae079274cac83
                                                                                                      • Instruction ID: ae5eb5b285112b24725bc667adff3afb15ca21713954074bc7f6b1fc02a1ba4b
                                                                                                      • Opcode Fuzzy Hash: e6533c8f4b78b449deb6436a31a191749bf35339910e6781c03ae079274cac83
                                                                                                      • Instruction Fuzzy Hash: C0F05E46F1DB490FE385FA3D08A623969D2AF9D150B8941FEA44EC73A3DC687C054241
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA0156 Relevance: .0, Instructions: 39COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b3e97197af75aec0b36cc0fa4607b9a0c71a1ff5ee1f9ec6da791adcfe91d308
                                                                                                      • Instruction ID: 794589e0c3aed08c8865dd62da22719ce3ac5892e71c1872411a8974cd90749c
                                                                                                      • Opcode Fuzzy Hash: b3e97197af75aec0b36cc0fa4607b9a0c71a1ff5ee1f9ec6da791adcfe91d308
                                                                                                      • Instruction Fuzzy Hash: 30F03721708D094FD784EB6C94897F473D1E79D311F6400BAE50DC3293DE2AA9418741
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9A4A5 Relevance: .0, Instructions: 37COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d1f537558efe6c1f87c64244c4bd1a1b851ba45db086b89f31d2e2bdf5df945e
                                                                                                      • Instruction ID: ca0224d688ff43367b73c7d3902127c49d301f073f66b8d57763f636dc44387a
                                                                                                      • Opcode Fuzzy Hash: d1f537558efe6c1f87c64244c4bd1a1b851ba45db086b89f31d2e2bdf5df945e
                                                                                                      • Instruction Fuzzy Hash: C1F0EC11B1C6890FF309AB7898E27B873C2DBD6311F2401BED049C23E3DE5D58468391
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA18B0 Relevance: .0, Instructions: 35COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c9a99b3adac6c86c867def1bb3ef9e32a4e18210fa774f19579847af1c8257fa
                                                                                                      • Instruction ID: cd2ca229a04ec4bd3428e34a334d46ec73a758db446abd1c2b0d223299cde13a
                                                                                                      • Opcode Fuzzy Hash: c9a99b3adac6c86c867def1bb3ef9e32a4e18210fa774f19579847af1c8257fa
                                                                                                      • Instruction Fuzzy Hash: 7CF0A4746147058BDF4CDF58D4D596637A1EF5C305B1101A8DC4ACB28ADA24E891CAD1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A91D75 Relevance: .0, Instructions: 34COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5603c365023ba9e9679ec816996c44a926c3cf4f49bcf648c1dbb0ff2e09edd3
                                                                                                      • Instruction ID: 26925e4386552839e3432e3b915603761ab2e3b214892362eed6ef21932c8043
                                                                                                      • Opcode Fuzzy Hash: 5603c365023ba9e9679ec816996c44a926c3cf4f49bcf648c1dbb0ff2e09edd3
                                                                                                      • Instruction Fuzzy Hash: 76F0E521F595990FE3596A3C04A45F867A0EF6662275A01FDC197C72A2ED4828075341
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA2BFD Relevance: .0, Instructions: 33COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9cef154c1b282fb8a558490397cc3f733ef60a908cdfe973faaa814cfa5877e1
                                                                                                      • Instruction ID: da0f5467067ab429b5a9259f21904cf4b0726383b8cce21987b3e44fc146d439
                                                                                                      • Opcode Fuzzy Hash: 9cef154c1b282fb8a558490397cc3f733ef60a908cdfe973faaa814cfa5877e1
                                                                                                      • Instruction Fuzzy Hash: 8FE09201B14A090BE644AA6C5CC52B9B3C2DB8C212B5040BAE00EC3252DD996C550281
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A90B65 Relevance: .0, Instructions: 33COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 45d06c9fce60aef6f3bf25bfc539470bcbf320cb87a49427abc88cdc72adc9eb
                                                                                                      • Instruction ID: eab9ec9924deeb904d253dbc89ae8492205a3127c8769ccbdf068cfcf2d1780b
                                                                                                      • Opcode Fuzzy Hash: 45d06c9fce60aef6f3bf25bfc539470bcbf320cb87a49427abc88cdc72adc9eb
                                                                                                      • Instruction Fuzzy Hash: 64F0B447E0DB860EE356AA294CB15F45B62EF86291B8410BE901EC73A3ED5C7D458310
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9B151 Relevance: .0, Instructions: 33COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4c7c0ee2efa9823e463ac9693befc5293ffeb2590cc62d710462d789d3121ca1
                                                                                                      • Instruction ID: f2857cee5a6732fca95b67f51e5c33e5fe14370fdda2f23c20b4f842898ed3a6
                                                                                                      • Opcode Fuzzy Hash: 4c7c0ee2efa9823e463ac9693befc5293ffeb2590cc62d710462d789d3121ca1
                                                                                                      • Instruction Fuzzy Hash: 48F0829150E3D14FE7268B395960A503FA05F56305F4A01EED0D8CB1E3E95994168305
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9F75C Relevance: .0, Instructions: 32COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a022df7b4e3f42255f5963262a1665b3a1888239b037c077b5cb76f40d5dd35e
                                                                                                      • Instruction ID: b35f6357e4118818d2f506701bd68c3391075118bcda2f77a2218fb09dcefb01
                                                                                                      • Opcode Fuzzy Hash: a022df7b4e3f42255f5963262a1665b3a1888239b037c077b5cb76f40d5dd35e
                                                                                                      • Instruction Fuzzy Hash: DBF01C21F1880E4BEB85EB28C8917FDA392FF8C311F9401F9F40EC3296DE68A8518740
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA2930 Relevance: .0, Instructions: 32COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c1f01927c1fabfdeffb90326c2339b52acbd7efd5cbc27a344969b0d9acdb592
                                                                                                      • Instruction ID: 71b3da93f975456e35ccaa6db678b3cbec372428d68fb0c144993272f70d778c
                                                                                                      • Opcode Fuzzy Hash: c1f01927c1fabfdeffb90326c2339b52acbd7efd5cbc27a344969b0d9acdb592
                                                                                                      • Instruction Fuzzy Hash: E9F0E542B0EEC90FEB95677C18290B8ABC1EF8612274801FDD49AC72F3ED8914128786
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A97562 Relevance: .0, Instructions: 30COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b06bc4a58ce414412cf7acc1c1ebcd99a49d5a6b7ef6a8102377365071cc40d6
                                                                                                      • Instruction ID: 6e68d2202cbda3f8e9ec7c7c6b3aef21a937243bdd369e5720c1fd04839b2577
                                                                                                      • Opcode Fuzzy Hash: b06bc4a58ce414412cf7acc1c1ebcd99a49d5a6b7ef6a8102377365071cc40d6
                                                                                                      • Instruction Fuzzy Hash: 5FE0ED02F28A0A46F758AA7D0CA7779A1C2BF9C701F5555BEA00EC33E3EC9CB8454182
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA728E Relevance: .0, Instructions: 29COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4f77aa574214a026cbc198140912d441a0a8702bafaf0f30860afb5f66f3a0ed
                                                                                                      • Instruction ID: 7ae0b04e6e13d68def36c862465350c24f5dc85578aa03d4c8375c4f434fe90d
                                                                                                      • Opcode Fuzzy Hash: 4f77aa574214a026cbc198140912d441a0a8702bafaf0f30860afb5f66f3a0ed
                                                                                                      • Instruction Fuzzy Hash: 6CE07DB264F2818FEB120B244C2A15D7F50EF43310F6640F5E4888B2C3C6C92806C7C0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9A8D2 Relevance: .0, Instructions: 28COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2b94bf590a0c65864ec4bfdbafe32d305217a6d48caff54c03a21b6ef50bcaf9
                                                                                                      • Instruction ID: 53019506f1ad05fe2420f21d6414b68eab185bd6f2979abefb9fe17503be1ae1
                                                                                                      • Opcode Fuzzy Hash: 2b94bf590a0c65864ec4bfdbafe32d305217a6d48caff54c03a21b6ef50bcaf9
                                                                                                      • Instruction Fuzzy Hash: F7E06D3171854A8FDB18FF18E8949A873A0FF45352B4144B6E40EC7162CE36E802CB80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A99000 Relevance: .0, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9d5201e76d7431c97905f11541dc471a7edee397f579bc93ed9ee5681f6b9ae2
                                                                                                      • Instruction ID: bb2748b3f1fd174972a4bf092b58c5e6012aaa1f25de0812f701bf8ce3838c51
                                                                                                      • Opcode Fuzzy Hash: 9d5201e76d7431c97905f11541dc471a7edee397f579bc93ed9ee5681f6b9ae2
                                                                                                      • Instruction Fuzzy Hash: 21E04680F4E3831AFB69692528B23B81D404F02302F1401BEDA998E2D3DCCC2885439A
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA35A8 Relevance: .0, Instructions: 27COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e7525cd77303e1bb5cc78a1bd1ccf187ce7adb4dc08372a84c7d34a2b13df551
                                                                                                      • Instruction ID: c16fa6e1ecabc206fd3b7de5a5ee125e2fb7063dfa065f129ac1910919695587
                                                                                                      • Opcode Fuzzy Hash: e7525cd77303e1bb5cc78a1bd1ccf187ce7adb4dc08372a84c7d34a2b13df551
                                                                                                      • Instruction Fuzzy Hash: AFF03011B0D7864FE786BB7984323696BA2AF87240F6904FAD44DCB3D3ED185D458361
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA5F1F Relevance: .0, Instructions: 26COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3092a2d978e9786c805b487c4819636e6dc426b549003b6917aaff86fc2ba65d
                                                                                                      • Instruction ID: fa8a6930f5c3327e591627acf87894dfb517908fe92c00a8234201038726e199
                                                                                                      • Opcode Fuzzy Hash: 3092a2d978e9786c805b487c4819636e6dc426b549003b6917aaff86fc2ba65d
                                                                                                      • Instruction Fuzzy Hash: BBE04F11F5CA468BF7686E6884913B921D2FF99301F64943DE26FC33D3DDA8F8064A04
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A98C36 Relevance: .0, Instructions: 26COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9131406dcc154762ff64308fa06beb38a2700f00644bb8b423a813ab1b9b08fb
                                                                                                      • Instruction ID: 50ec3733b2b9927af834e9fe5b76f6b3409631c3cfe9dccf6526c179047f056e
                                                                                                      • Opcode Fuzzy Hash: 9131406dcc154762ff64308fa06beb38a2700f00644bb8b423a813ab1b9b08fb
                                                                                                      • Instruction Fuzzy Hash: D1E0862230660E4BEB9CE96DD850BB533C0E744363F004037E445C6290DA5DD2855351
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA364E Relevance: .0, Instructions: 26COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 553f5964e9b8d20ffb7240490a05c027b91b20295f7854f5206003f48887818a
                                                                                                      • Instruction ID: 823e52ac2446c575daa39c3a7c1450bdc6bc31a8c9a12f2b7642c5e2297af8a4
                                                                                                      • Opcode Fuzzy Hash: 553f5964e9b8d20ffb7240490a05c027b91b20295f7854f5206003f48887818a
                                                                                                      • Instruction Fuzzy Hash: D3F03011B0D7864EE786BB7444313285AA29F47241B6504F6D00DCB3D3EC585D458361
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9160D Relevance: .0, Instructions: 25COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2b54c3b23dcc3c7788312e96053ee91120e4dba904f6ae0f79130f413d0ad6fc
                                                                                                      • Instruction ID: 62612271d7d650d32a5d7e1b230906c9094e9e7c72fa25ffc6f36d69d2cbb8e7
                                                                                                      • Opcode Fuzzy Hash: 2b54c3b23dcc3c7788312e96053ee91120e4dba904f6ae0f79130f413d0ad6fc
                                                                                                      • Instruction Fuzzy Hash: 5BE04F02F1DA860FE386F62908A96B95AA1AFAE24078900FE845DC73A7ED482C055311
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9C97C Relevance: .0, Instructions: 25COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5793ac74e10b1af0cbcbbd96faac9744666600edf0458c4c21885e514cd494d1
                                                                                                      • Instruction ID: ff013cc39e0be5845657e4f3c07fa260c0502c7fcf91e26423cde10e3028f89c
                                                                                                      • Opcode Fuzzy Hash: 5793ac74e10b1af0cbcbbd96faac9744666600edf0458c4c21885e514cd494d1
                                                                                                      • Instruction Fuzzy Hash: 08E08602B8E6490BE345EA756C910B47762DF9A261B5409FBE04EC33A3DC6D65448351
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A96685 Relevance: .0, Instructions: 24COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bbc7c964801b9701ace16539a70b96ea3b1ff143147e466f240ebd7650a7cf6d
                                                                                                      • Instruction ID: 593f487947096fdc0f2626f1fcdec0bb1543466c385befff1391e181b316e476
                                                                                                      • Opcode Fuzzy Hash: bbc7c964801b9701ace16539a70b96ea3b1ff143147e466f240ebd7650a7cf6d
                                                                                                      • Instruction Fuzzy Hash: 85E02B12F2CA8A07FB0472398C922FC73C1AFC4126F64007BE40EC22F2FD6DA5419242
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9F040 Relevance: .0, Instructions: 24COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 20c3cec3072575b3b4f6211c4393a143bc6cd21e6269cbe6907620ca30ca34d2
                                                                                                      • Instruction ID: c39f96c499c8300659b13e108e398a50d4b0c2e3ed750aa0d5053b45aed2b4d8
                                                                                                      • Opcode Fuzzy Hash: 20c3cec3072575b3b4f6211c4393a143bc6cd21e6269cbe6907620ca30ca34d2
                                                                                                      • Instruction Fuzzy Hash: 63E04824B1DB850F9355AB380C501A667F2BB5D22075417BDD1BEC76E7DE2C94099300
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9AF92 Relevance: .0, Instructions: 23COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f4fcf318c3a32ec26a0e11cfb0610c7dae060f3717a8d486c8ddb587a2ed6eec
                                                                                                      • Instruction ID: b5593f72d57cbdb0ea1565de6125100961fbc75cc2b95a46c407927b70d35344
                                                                                                      • Opcode Fuzzy Hash: f4fcf318c3a32ec26a0e11cfb0610c7dae060f3717a8d486c8ddb587a2ed6eec
                                                                                                      • Instruction Fuzzy Hash: 00E01A20B19A854B9394EB384C901A666F2BB5922075417ADE1BEC36E7EE28A8098300
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA5F56 Relevance: .0, Instructions: 22COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4fee8872d1361ee2674245de9c495d0ad33abe12ce74e34bf0e7733f6f9e0fb7
                                                                                                      • Instruction ID: f2b7852ad9a9dc956774c4dc1c06937c509f27efb86760b7b6ba7366918d8faf
                                                                                                      • Opcode Fuzzy Hash: 4fee8872d1361ee2674245de9c495d0ad33abe12ce74e34bf0e7733f6f9e0fb7
                                                                                                      • Instruction Fuzzy Hash: EEE0EC51B186560BDBA8966D58E03A967D2EB48340F505479D18EC3383DE286C469304
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA2FBA Relevance: .0, Instructions: 22COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 43aa6566a688c31b09f263c113919684e9614edbfd4a0db7b017aa3152d8d041
                                                                                                      • Instruction ID: fed9710177173abac45adc23d46d879e25444c18afb5548e9d8d9a14979328d6
                                                                                                      • Opcode Fuzzy Hash: 43aa6566a688c31b09f263c113919684e9614edbfd4a0db7b017aa3152d8d041
                                                                                                      • Instruction Fuzzy Hash: 39D05E20700E0E0FC650AA5D98D86B8B7C1EBDC122B5900BAD649C3356CE656C968381
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A965D7 Relevance: .0, Instructions: 21COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bf3a92294814932756b0c4678d229f79e85fde3a864ad68404285a77e7d1b9c4
                                                                                                      • Instruction ID: 84ce0dcf64153009d618514f8746fc9a2789aeebbd1bba5c70a097feb779ab90
                                                                                                      • Opcode Fuzzy Hash: bf3a92294814932756b0c4678d229f79e85fde3a864ad68404285a77e7d1b9c4
                                                                                                      • Instruction Fuzzy Hash: 03D0A7107118090F87409759A4C827CB3C2FFDD253BA91076D10DC7361DF299D434341
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A91729 Relevance: .0, Instructions: 18COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1c24d7fdb8ecee0e730249dfd6195baaba3fc95438393c3962a6d05a58d6bf85
                                                                                                      • Instruction ID: 382d215068a8720217434b404ff6c1d91334b956520fc212988fac87bfbc6445
                                                                                                      • Opcode Fuzzy Hash: 1c24d7fdb8ecee0e730249dfd6195baaba3fc95438393c3962a6d05a58d6bf85
                                                                                                      • Instruction Fuzzy Hash: E8D0A718B2494A8FD384EF2C48AC17DB3E1FF583013611478C01AD3262EF2498438B01
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A914DF Relevance: .0, Instructions: 18COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 12a24814713b9c6a997f22210b62e43cc6f5fa71c3eb0e4d2a7c12e41e731a22
                                                                                                      • Instruction ID: bfd3910afb7d9f102b8c31764805b052cd18ccbf624443f7320a86fcef11ea25
                                                                                                      • Opcode Fuzzy Hash: 12a24814713b9c6a997f22210b62e43cc6f5fa71c3eb0e4d2a7c12e41e731a22
                                                                                                      • Instruction Fuzzy Hash: 34D0A902F28C2917D2B8960D186133802D2FBEC211F25027EA00EC3382EC082C03428A
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A96567 Relevance: .0, Instructions: 18COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 4eef774a28a393cdabcd26679eb132e2613ecd7011b28cda9e4675a9c815ecd4
                                                                                                      • Instruction ID: bb430f2d4ffd8a77238a92b61615c1a2c5d995a9fe65160260844b98141ed279
                                                                                                      • Opcode Fuzzy Hash: 4eef774a28a393cdabcd26679eb132e2613ecd7011b28cda9e4675a9c815ecd4
                                                                                                      • Instruction Fuzzy Hash: A4D02252B04B080BDB00BEEDAC8A63077C0DBB8313B0008BFD918C3322E658C1844381
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A91CD5 Relevance: .0, Instructions: 16COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6270fca06a3419f552e429943177e7dc3732fd0ae77fa27a7b0bb87e3468ed19
                                                                                                      • Instruction ID: 5c9752440af8b137f0cf2dbc648ed1cc3a449b3ef7e693a860ed7a0597e613c3
                                                                                                      • Opcode Fuzzy Hash: 6270fca06a3419f552e429943177e7dc3732fd0ae77fa27a7b0bb87e3468ed19
                                                                                                      • Instruction Fuzzy Hash: 1DE01220A1E3D05ED747AB7844BA4683FA1EF4B65175905EEC196CF1E3E55C2406C341
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA0CFE Relevance: .0, Instructions: 15COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 89bcf616aff3b2e4ed3a4740bd0394fe187883c3fcea794a5d93de5e4dc51eed
                                                                                                      • Instruction ID: b581378733190c781379c825b118184381ee283d779dd3718465b036874dae80
                                                                                                      • Opcode Fuzzy Hash: 89bcf616aff3b2e4ed3a4740bd0394fe187883c3fcea794a5d93de5e4dc51eed
                                                                                                      • Instruction Fuzzy Hash: 44D05E61D4410546EF049F21C4C178273A0EB54310F6040E9D8088A14ADBBDD5558F80
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A90E59 Relevance: .0, Instructions: 13COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 84e28c563f2d45a79e8da50cd9cda70a3042c072c04f5fbc6c34ebe23ad6af09
                                                                                                      • Instruction ID: 4a81514bddeb2b42eaac5d16e2a08cfdc62444f35f75c31ea0c15eed9ad754cd
                                                                                                      • Opcode Fuzzy Hash: 84e28c563f2d45a79e8da50cd9cda70a3042c072c04f5fbc6c34ebe23ad6af09
                                                                                                      • Instruction Fuzzy Hash: A1C09B00B18D191B5598953D14997BE03C2E7CC155310127F484FC3397DC194C472341
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9514E Relevance: .0, Instructions: 12COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 5a56fe42d60d9971f32dfd94f5962117d6fdc6778c10b13901185c502688042d
                                                                                                      • Instruction ID: 05c28491b873f1c9dd0dd6182ef2bcf0e44d92ba7c355906372c7e27985978e4
                                                                                                      • Opcode Fuzzy Hash: 5a56fe42d60d9971f32dfd94f5962117d6fdc6778c10b13901185c502688042d
                                                                                                      • Instruction Fuzzy Hash: 59B09B01F5554D06974451592D511585142C7C8173B55557AD40DC1397DC5E59550150
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA2BC9 Relevance: .0, Instructions: 9COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e9bc68b6d6ea5ab56e9b7d9261cd32731694ba2e7613c08701b95ddc4debac81
                                                                                                      • Instruction ID: 308b1d9b3acd039733d820172488acab242a22c78072a5155a16222629c47768
                                                                                                      • Opcode Fuzzy Hash: e9bc68b6d6ea5ab56e9b7d9261cd32731694ba2e7613c08701b95ddc4debac81
                                                                                                      • Instruction Fuzzy Hash: 8DA02203BC300E02880808CABCC00FAF300CBC2033BF222B3CA08C0200C8CF0AE222E0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2AA72B9 Relevance: .0, Instructions: 7COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6dd68a67fe56e9ac4c70c1cbaf9dac2fcb15f7e8bad3d1867d0720091d90473f
                                                                                                      • Instruction ID: 44b03c9d6cc2583e0cad4b25c5bdaa1790a1180f48bf30b58db0aa8fdd732371
                                                                                                      • Opcode Fuzzy Hash: 6dd68a67fe56e9ac4c70c1cbaf9dac2fcb15f7e8bad3d1867d0720091d90473f
                                                                                                      • Instruction Fuzzy Hash: 7FB01100F8F80A03EE0832B038230A820800F82202FC20838E80A82283ECCE2A822082
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A9CA41 Relevance: .0, Instructions: 6COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 69fa368a9074982a3cd717159a2fb8436b9567fb4fcf4e6e0e9418bcb08a11b6
                                                                                                      • Instruction ID: c0aae36aa613fae0525c9ed778da2577df49ff07fd2c9452aee441ab3fc5d3b2
                                                                                                      • Opcode Fuzzy Hash: 69fa368a9074982a3cd717159a2fb8436b9567fb4fcf4e6e0e9418bcb08a11b6
                                                                                                      • Instruction Fuzzy Hash: 75A00230350B4C8F8A5C6B79409812476D6EB5B60A7581AAD9347C6396CD66DD014A04
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Function 00007FFDC2A9EB58 Relevance: .4, Instructions: 388COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000001.00000002.631457862.00007FFDC2A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_1_2_7ffdc2a90000_IntelCpHeciSvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 668818acb4987d21b0e213bc886c1c1d45915897eee2322682315107b67180e4
                                                                                                      • Instruction ID: 56a939e8448dd523b4fd78acf8a8834ced00152d42ce03f280adc66afa17f9c5
                                                                                                      • Opcode Fuzzy Hash: 668818acb4987d21b0e213bc886c1c1d45915897eee2322682315107b67180e4
                                                                                                      • Instruction Fuzzy Hash: 2AB13A21B0C6564FEB19AE2D89A66B47BD0EF55302F1405BFD49BC72C3ED58E84287C1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Executed Functions

                                                                                                      Function 00007FFDC2A83040 Relevance: 1.9, Strings: 1, Instructions: 643COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Ma!
                                                                                                      • API String ID: 0-3384484873
                                                                                                      • Opcode ID: e13cf1c748974b048030eb7e3a0f501964a6343e72067a31abcb198a032d1342
                                                                                                      • Instruction ID: 46244221a3b92c979becc56dac39b8760f1879ef5f05872970791a882728fa93
                                                                                                      • Opcode Fuzzy Hash: e13cf1c748974b048030eb7e3a0f501964a6343e72067a31abcb198a032d1342
                                                                                                      • Instruction Fuzzy Hash: 64220571B0C6894FE759DF2C88647797BE1EF5A301F5502BEE48AC73D2DE68A8018381
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A832B9 Relevance: .2, Instructions: 223COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 86cd40596fcd9383529f707c40361e73b650cc1a69a5454696e2629b5aa43dd5
                                                                                                      • Instruction ID: 365039e5eb8f78e269687d35323101f7cda202c24447ed8a4e00267cc90e596f
                                                                                                      • Opcode Fuzzy Hash: 86cd40596fcd9383529f707c40361e73b650cc1a69a5454696e2629b5aa43dd5
                                                                                                      • Instruction Fuzzy Hash: 6461D3AAB0D68B0FFF91DF3988653342AD1EF59341F5521BAD48ACB2D2DD68A8418340
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A831AD Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x^_!
                                                                                                      • API String ID: 0-2561082640
                                                                                                      • Opcode ID: 4def53209a7470f489bedb85c23aaa9ddd3884a7809346af7b18155d8bfe8044
                                                                                                      • Instruction ID: 7fc5555598746915ebc34e94fbb5a0dfceb4f3358a3d8aae88d424a5ce1c47bd
                                                                                                      • Opcode Fuzzy Hash: 4def53209a7470f489bedb85c23aaa9ddd3884a7809346af7b18155d8bfe8044
                                                                                                      • Instruction Fuzzy Hash: F7210170B0CA8A8FEB549F6844E5535B7D0EF2A301B0445B8D44BC7392EEA8E8048382
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A82E00 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x^_!
                                                                                                      • API String ID: 0-2561082640
                                                                                                      • Opcode ID: 28edd2ed36f6f5d4c3aca663b8efc0dd3167ca81e004786afcbb5e3b161758c2
                                                                                                      • Instruction ID: 234422abd338b5e196b6c93fd2f3285b03552ccf194c970149cbfe3ec2df98db
                                                                                                      • Opcode Fuzzy Hash: 28edd2ed36f6f5d4c3aca663b8efc0dd3167ca81e004786afcbb5e3b161758c2
                                                                                                      • Instruction Fuzzy Hash: 5B113C7E78490B8FFFA4EB2EE4A873426C29BA8301B053679900BCB396DD75D8014600
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A80AC0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x'a!
                                                                                                      • API String ID: 0-2185383346
                                                                                                      • Opcode ID: b4c770054716f8bd82fca0ab005a564a2b382d244323de770d979e3520add311
                                                                                                      • Instruction ID: b450085488690f7e97fc8fda7c6488b233a9ddf2ffef89c18ca817d45c8d8920
                                                                                                      • Opcode Fuzzy Hash: b4c770054716f8bd82fca0ab005a564a2b382d244323de770d979e3520add311
                                                                                                      • Instruction Fuzzy Hash: E011AD11B1DB480FD7A59A2C48BD23877D2EFA9601B1941FAD04DC72A7ED586C048382
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A82D99 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: Ma!
                                                                                                      • API String ID: 0-3384484873
                                                                                                      • Opcode ID: 54a8b1308412aa6ab2a29abcd25fa1bc0947b2901f7b317d9cd7ff7834e1a600
                                                                                                      • Instruction ID: 1c8706be60fb174c14c24a6d69fbb9611b5e86617d9de414f12728dd4922a5d6
                                                                                                      • Opcode Fuzzy Hash: 54a8b1308412aa6ab2a29abcd25fa1bc0947b2901f7b317d9cd7ff7834e1a600
                                                                                                      • Instruction Fuzzy Hash: B3F01282B1D7C50FE7875B381CB12656FA1AB9A240F8500F79189CF2D7EC481C154351
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A8412A Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID: x^_!
                                                                                                      • API String ID: 0-2561082640
                                                                                                      • Opcode ID: 6b4e2530bd7de9f9677d6e1fe0c1515e574d350a1704268d98562ce52445edd7
                                                                                                      • Instruction ID: c74c3df58215dd63e9bc235a028f39ad29897787a1127c6bcd44773d0be6236a
                                                                                                      • Opcode Fuzzy Hash: 6b4e2530bd7de9f9677d6e1fe0c1515e574d350a1704268d98562ce52445edd7
                                                                                                      • Instruction Fuzzy Hash: 79F0AC3471890A8FEF98EF3890B8B3937E1EF69306F5150B8950ED73A6DEA4D8048740
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A8281C Relevance: .2, Instructions: 204COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: a39f0aaf2347dde15fff5104476c638623e41ab0d96c13bbf19aeb5e1d668c77
                                                                                                      • Instruction ID: 8e057eed4561db1c5ee82b188530a2830fddee2536c9a47a1923429638ff9dfa
                                                                                                      • Opcode Fuzzy Hash: a39f0aaf2347dde15fff5104476c638623e41ab0d96c13bbf19aeb5e1d668c77
                                                                                                      • Instruction Fuzzy Hash: EA51213190D7C94EE765AF3888597BABBE0EF56211F1406BFC48DC31A3EE7464458782
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A80E72 Relevance: .2, Instructions: 201COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: efe3c89b2b3bccced0130afa49283a026825542b77943e9ca06ba88c247ba720
                                                                                                      • Instruction ID: 6e17ff5213f40ae2b637fddd74add65c76ef07544b892d1334c8b174b2ee5895
                                                                                                      • Opcode Fuzzy Hash: efe3c89b2b3bccced0130afa49283a026825542b77943e9ca06ba88c247ba720
                                                                                                      • Instruction Fuzzy Hash: EE510831B18A494FE785FB3C84A8A7977E1EFA9302F1505BEE44DC7293EE68D8418741
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A842DA Relevance: .2, Instructions: 183COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 35668e00528cf1b3985424b9df0b83fc346ad989cf0335c2a0ea279c88a154c8
                                                                                                      • Instruction ID: aaac8ff8de454fb8eb34c4a147e26e4e12971a5844fe902d26be98b20f5290b3
                                                                                                      • Opcode Fuzzy Hash: 35668e00528cf1b3985424b9df0b83fc346ad989cf0335c2a0ea279c88a154c8
                                                                                                      • Instruction Fuzzy Hash: C151A520F18A1A4FEB64EF28485477962C2EF98341F55427DE44EC72D2EE6CE94283C1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A80F61 Relevance: .2, Instructions: 161COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 8b2a2ebabe84f18c57b687c1e70bff9f18e5d95605ae7e603ccd7c4bcd6dea33
                                                                                                      • Instruction ID: 0341a5d0977909d08640efa20cbdd89b3278bcdf79a1d4bd728dac25fd55e118
                                                                                                      • Opcode Fuzzy Hash: 8b2a2ebabe84f18c57b687c1e70bff9f18e5d95605ae7e603ccd7c4bcd6dea33
                                                                                                      • Instruction Fuzzy Hash: 46415B21B1CA8A0EF7157F3848A56BA77D0EF59316F1406BDD48EC32D3ED9CA8458381
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A82016 Relevance: .2, Instructions: 159COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 19c9a6aab7438b3f3575f067e3f162ea7c1ee96828c5ef40899d7296701289ad
                                                                                                      • Instruction ID: 225f6bfeebb5af12924019e87166d509c4f68a27d70d724a47c66cf54886459e
                                                                                                      • Opcode Fuzzy Hash: 19c9a6aab7438b3f3575f067e3f162ea7c1ee96828c5ef40899d7296701289ad
                                                                                                      • Instruction Fuzzy Hash: 1F51067060CA898FDB55EF28C494BA477E1FF69301F5500BAE44ECB2A3DA34E845C755
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A82BE8 Relevance: .2, Instructions: 152COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 968699824f8c9b862845ae7f9767cd57f421568b615428567274d51c54176d8b
                                                                                                      • Instruction ID: fb0b2dc4929497b13416cd5229136f9d27fd9e0ad09e6c5802369a982a2dd94d
                                                                                                      • Opcode Fuzzy Hash: 968699824f8c9b862845ae7f9767cd57f421568b615428567274d51c54176d8b
                                                                                                      • Instruction Fuzzy Hash: 0D51CF7050CB888FD7A0EF28C488BA9B7E0FB69315F14496ED48DC7261DB31D586CB41
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A81B8C Relevance: .2, Instructions: 152COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 90554bbfa0c1f8648fd928b8e9315342a0b6294eaa8e2b608cb89a1ee9ddd710
                                                                                                      • Instruction ID: 3ec28c4a23ba02d22f328e5d5aa2ae41a652076efe75f54c252048294258fabf
                                                                                                      • Opcode Fuzzy Hash: 90554bbfa0c1f8648fd928b8e9315342a0b6294eaa8e2b608cb89a1ee9ddd710
                                                                                                      • Instruction Fuzzy Hash: 32414E70A18A8C4FEBA4DF2888997F937D0FB59311F10417FD84EC7262EA74A5409781
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A8396D Relevance: .1, Instructions: 146COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: faa0cf2c7df76352a42b948c39a43ae45ff3b8ddb289a5c61c45cc57d847efd2
                                                                                                      • Instruction ID: af532a7c0dc7939c7e77898e89d079a512fcd71866dc0db2b0874a4ac1e25e26
                                                                                                      • Opcode Fuzzy Hash: faa0cf2c7df76352a42b948c39a43ae45ff3b8ddb289a5c61c45cc57d847efd2
                                                                                                      • Instruction Fuzzy Hash: 1A41D631B0C64A4FE759DF2888A02B9B7E1EF56341F5501FAE44BC72D3EE79A8018750
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A8058D Relevance: .1, Instructions: 128COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 51660b44974c2bee1b023b8ab6b4971513c5781ec06083f6eecb17c153bca607
                                                                                                      • Instruction ID: d1d321dab0865bf3ff3de7b210a980eb8d08c883a53b248724768028d257c63a
                                                                                                      • Opcode Fuzzy Hash: 51660b44974c2bee1b023b8ab6b4971513c5781ec06083f6eecb17c153bca607
                                                                                                      • Instruction Fuzzy Hash: 17313031B1891E8FEB98EF29D4A5BB873D1FF99301F5105B9D00EC7291DEA8A8008740
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A841D5 Relevance: .1, Instructions: 128COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b18fc81b1af8048a8f35b35786e937d28463572ea076531548f42543678c6fe3
                                                                                                      • Instruction ID: 68dae09f315ce3f88629725b1b1e163999557b6aeffd5f4a3552da6821c87f21
                                                                                                      • Opcode Fuzzy Hash: b18fc81b1af8048a8f35b35786e937d28463572ea076531548f42543678c6fe3
                                                                                                      • Instruction Fuzzy Hash: C6312A70A0C64D4FEB95DF2884647B97BE0FF19355F5102BAE40EC7292EEE898408781
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A83CED Relevance: .1, Instructions: 122COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7632e928e1311acd10313f77ad1ea01ec7c73c88fe5fc36a229fc001e84063d9
                                                                                                      • Instruction ID: f6243a69b88931bd51fc1c799d57ccca80119fe6954089f7ef4ee7623b6fcb84
                                                                                                      • Opcode Fuzzy Hash: 7632e928e1311acd10313f77ad1ea01ec7c73c88fe5fc36a229fc001e84063d9
                                                                                                      • Instruction Fuzzy Hash: F0312320B0CB010FDB599A3C88E9A3437E1EF59312F1509B9E05EC72D3ED58E8058780
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A82A8A Relevance: .1, Instructions: 102COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e185f120a1a75caab5ba854477d8117c5078fafb27c4491ca0f081acb259262c
                                                                                                      • Instruction ID: f34a6b594b8fbfbc4ababa07c18d0f2d9a5e683899c4b4d93ef131b5ceddb7d8
                                                                                                      • Opcode Fuzzy Hash: e185f120a1a75caab5ba854477d8117c5078fafb27c4491ca0f081acb259262c
                                                                                                      • Instruction Fuzzy Hash: 7E31D161A0D7CA4FE762AB3888193B97BE0EF5A211F5404FFC48DC71A3EE291549C352
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A810FE Relevance: .1, Instructions: 99COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6b99e3e0f067f80fbdd86fa2168b32666981e7529713ed1621ad8203f49a3e0b
                                                                                                      • Instruction ID: f405c4bd1176a1b4a09ae2303320797ac690f28615bf0835e2f4f981c4e2ef94
                                                                                                      • Opcode Fuzzy Hash: 6b99e3e0f067f80fbdd86fa2168b32666981e7529713ed1621ad8203f49a3e0b
                                                                                                      • Instruction Fuzzy Hash: 4F112920B1CA491FE344567C585A3F537D1EB4A226F2402BDF149C72E3EC88588A8381
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A81509 Relevance: .1, Instructions: 94COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: d3073ed8aa5ce4275b0ad8a249b62733003c0bd229c0446825edfc8105959fe3
                                                                                                      • Instruction ID: c5e8f493c308ba078af52a2fd7ff18e45128960f6cab2bd4af3ab15292aee222
                                                                                                      • Opcode Fuzzy Hash: d3073ed8aa5ce4275b0ad8a249b62733003c0bd229c0446825edfc8105959fe3
                                                                                                      • Instruction Fuzzy Hash: 5621C230708A494FDB49AB3C849DB683BE1FF5A311F5941F9E04ECB2A3DE28D8458701
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A80908 Relevance: .1, Instructions: 90COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 472f86b44c9db6335ccd697969cd4cf1a39b7fd19d2d88d237a3982a1a19ab47
                                                                                                      • Instruction ID: b02facd3eae82d18eedf32b5b0c0b2c80f03a547992f6f264f540947bd6a26c5
                                                                                                      • Opcode Fuzzy Hash: 472f86b44c9db6335ccd697969cd4cf1a39b7fd19d2d88d237a3982a1a19ab47
                                                                                                      • Instruction Fuzzy Hash: 1021F642F1DE9A0FF755A62E18A53B86782DF99221F0841FAE05DC33E7DD482C0A43D1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A82B29 Relevance: .1, Instructions: 78COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: e58c99e6f9642c4f2d01878d0c15a8d33c3b4715b20f8814ff03dbc98f065b4e
                                                                                                      • Instruction ID: 68ac96142c383c21da6f284f9519770078c7855c9ed7c56387c43e3fc7ce80be
                                                                                                      • Opcode Fuzzy Hash: e58c99e6f9642c4f2d01878d0c15a8d33c3b4715b20f8814ff03dbc98f065b4e
                                                                                                      • Instruction Fuzzy Hash: 76219A7190D6859FDB46EF38C4944A47FE0EF0A304B5445BEF48ACB253EA35A806CB16
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A81DBD Relevance: .1, Instructions: 76COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 484401c7b0aad324cd4f3718f68546a8594a37fae14cf42e19994abfd12b0892
                                                                                                      • Instruction ID: 85c3d2e6212ba20b3117847c0554b51c7eec4bef83a93f2da79c334900c8043a
                                                                                                      • Opcode Fuzzy Hash: 484401c7b0aad324cd4f3718f68546a8594a37fae14cf42e19994abfd12b0892
                                                                                                      • Instruction Fuzzy Hash: 1011FC30B189498FEF68EF2898957B873D1FB58311F5006BAD41EC7296DE74A8518B81
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A83E29 Relevance: .1, Instructions: 70COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 3b808edf792e5c69bf854b51eb5d51c802efdee735d30ceb697ca1bc1e60c0a3
                                                                                                      • Instruction ID: 1d8e3ea1186e1cb128d02e1a14e3960596ec243d14aff2ea10b78a6e45c0f52b
                                                                                                      • Opcode Fuzzy Hash: 3b808edf792e5c69bf854b51eb5d51c802efdee735d30ceb697ca1bc1e60c0a3
                                                                                                      • Instruction Fuzzy Hash: 81012605A4E7C91FEB46577408A52B53FA19F4B221B1500FEE04ACB2E3DC892C4BC350
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A80DD7 Relevance: .1, Instructions: 69COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: f0ffb3cc3d2f85b645102c5a79045ef4e0b79036d36386e4b12970a2b0911f0b
                                                                                                      • Instruction ID: d9a44a853a28df320d02c1d3e3a3709ee31375531ac298650f57762423974ba5
                                                                                                      • Opcode Fuzzy Hash: f0ffb3cc3d2f85b645102c5a79045ef4e0b79036d36386e4b12970a2b0911f0b
                                                                                                      • Instruction Fuzzy Hash: AF012B63F5DB9A0FF7425A3428661F52BD1DF52272F2505FBD089C7293ED4D68428280
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A80BC4 Relevance: .1, Instructions: 66COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 6d9736f5c9cb83b09ed94069cc1675ea751733ebacd97c7066fe8c362fcc5f0f
                                                                                                      • Instruction ID: ffa50f8d3e3dc156891c8b30d80a5e7de581942d7669d616c0f5ecd60b362b6c
                                                                                                      • Opcode Fuzzy Hash: 6d9736f5c9cb83b09ed94069cc1675ea751733ebacd97c7066fe8c362fcc5f0f
                                                                                                      • Instruction Fuzzy Hash: DF11AF02F8DB5BAEF6457BB918721BC25909F5535AB8404B6F08DC62D3DC8D644442AB
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A83776 Relevance: .1, Instructions: 64COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: fe31d923b04e1300e91153efe714b12950ad641f8e5e78f0384ab61499388da3
                                                                                                      • Instruction ID: 4c9f5e7ab1066f8b2a3162d59f576abf637d29a5cf2b9541c5aa4d47fb5292af
                                                                                                      • Opcode Fuzzy Hash: fe31d923b04e1300e91153efe714b12950ad641f8e5e78f0384ab61499388da3
                                                                                                      • Instruction Fuzzy Hash: 53110C31F0C2594FE768DE589CB12BC77D0DF42312F10027AC54BC7283DDAAA9028380
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A81A5B Relevance: .1, Instructions: 61COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 653ca356bb04e5294564236c8a964006ca433eadb60857a0a1375483f3f511dc
                                                                                                      • Instruction ID: a7b66cd22fdb4fc857ca77e20d307ceae6d2b7366700c810793c082b385c7795
                                                                                                      • Opcode Fuzzy Hash: 653ca356bb04e5294564236c8a964006ca433eadb60857a0a1375483f3f511dc
                                                                                                      • Instruction Fuzzy Hash: 4D116521B08A498FDF85EB3C8498B6437E1DFA9301F5510F9940ECB297DD38DC088311
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A82BB5 Relevance: .1, Instructions: 61COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 119d130d64c8756eb793f8dea1a9a50aa01ad5b53404b5ec5a7edec3c14bed23
                                                                                                      • Instruction ID: bdc879144bbe5b671125ca1592834e825e29b18f8e098efc51b08190f4d6f3a3
                                                                                                      • Opcode Fuzzy Hash: 119d130d64c8756eb793f8dea1a9a50aa01ad5b53404b5ec5a7edec3c14bed23
                                                                                                      • Instruction Fuzzy Hash: E1112621A0EBC75FEB566B3844245743FA0AF16301B6845FDD089CB1D3FD68A805C352
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A82A53 Relevance: .1, Instructions: 60COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9163a44754bd5eb95d2f28d63b81040556d84a23c558b8e63f5354460877a311
                                                                                                      • Instruction ID: 8bb12ef29e8179ed6a9ba40f8ce412e07f5e9be3c2df03c17e5bb4f565641145
                                                                                                      • Opcode Fuzzy Hash: 9163a44754bd5eb95d2f28d63b81040556d84a23c558b8e63f5354460877a311
                                                                                                      • Instruction Fuzzy Hash: 9511E12090E7C25FD707A7384828568BF60AF17210B9949FEC0C5CF1E3E958544AC353
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A858D6 Relevance: .1, Instructions: 59COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2b77c6a8bfb07823cba46d192df7292993a512a6829ef5c9e08d6a2fa016f530
                                                                                                      • Instruction ID: 05877cfcc5c5abd5f1a0b5123abe7c80393df44e7dcd12b2c736fef8f4cad9cf
                                                                                                      • Opcode Fuzzy Hash: 2b77c6a8bfb07823cba46d192df7292993a512a6829ef5c9e08d6a2fa016f530
                                                                                                      • Instruction Fuzzy Hash: 16016892F5C74A0BF319766418A21B973E0EFA6216F5001BEE84FC33C3EC4CAC020282
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A82B8A Relevance: .1, Instructions: 53COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 9ea5ce009f6492a20cc81adb144fc1804c072bb6fce53a218c5655557f9f2bfe
                                                                                                      • Instruction ID: 60f34b5f1b9b81b51061618fa0296ba378a0130baedffc5686b5520fb8e06079
                                                                                                      • Opcode Fuzzy Hash: 9ea5ce009f6492a20cc81adb144fc1804c072bb6fce53a218c5655557f9f2bfe
                                                                                                      • Instruction Fuzzy Hash: FE01D41190E7C61FEB139B3C48684647FA0AF17220B9905FED0D9CB1E3FA59A51AC352
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A85832 Relevance: .0, Instructions: 50COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 48451044a4009025a74b0a9cfd91c229220a609e311d3e15ad29a0b4747571d3
                                                                                                      • Instruction ID: aa97b2a89652f2260ac345e6cfc520435f15aa34449d054aeb79d4628e78df88
                                                                                                      • Opcode Fuzzy Hash: 48451044a4009025a74b0a9cfd91c229220a609e311d3e15ad29a0b4747571d3
                                                                                                      • Instruction Fuzzy Hash: 5AF02D52B0D3451FE305AA7454176B7BB50EF42252F4101BAE88AC3393DD89580142D3
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A81AE5 Relevance: .0, Instructions: 46COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 7493b37e48867daf2fc1e2305b82cc04dba448ed89f996dee2cdd847f11d903a
                                                                                                      • Instruction ID: 1d140e6081380bf0c1ef6d145200b034f6b90866141f538aeedbede11f070572
                                                                                                      • Opcode Fuzzy Hash: 7493b37e48867daf2fc1e2305b82cc04dba448ed89f996dee2cdd847f11d903a
                                                                                                      • Instruction Fuzzy Hash: 98F09A2164E7C54FC70297388C68A957FB0EF9721170E04EAE089CF5A3D65CA859D362
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A809D9 Relevance: .0, Instructions: 45COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: bc88886552676d2d946ab06436abac617c5c56c05e364dfe72e5d0b06457efad
                                                                                                      • Instruction ID: 398040b9c6fbe2fdb98f269f52018e522d532b1044304ee3dcb916b1ec70e32f
                                                                                                      • Opcode Fuzzy Hash: bc88886552676d2d946ab06436abac617c5c56c05e364dfe72e5d0b06457efad
                                                                                                      • Instruction Fuzzy Hash: E4F0A02550F7D12FD7066B7598AA3D17F60AF03251F1985FBE084CB1E3DA98050AC792
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A81B10 Relevance: .0, Instructions: 41COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 52f7239ccc20dff2b79b14fea55f347cda3affa3142bae34213b0b03a782fcab
                                                                                                      • Instruction ID: 7c5571ed14e863e8c56cb95dee43f2cab71f91c4d73748ae07bbaaec7fd8305a
                                                                                                      • Opcode Fuzzy Hash: 52f7239ccc20dff2b79b14fea55f347cda3affa3142bae34213b0b03a782fcab
                                                                                                      • Instruction Fuzzy Hash: 23F07970908B888F9B94EF1CC04866ABBF0FBA9316F504A2FE58CC3220DB75D545CB42
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A81D67 Relevance: .0, Instructions: 41COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 27b4405a45472ec34da3214d20323b8321ba17f20234e5028ce6bd99bbb7d390
                                                                                                      • Instruction ID: c10696750d5eb8d66f974c9d3a9b38ee958c8501d5cc7d8fcb4d9a5159c95aab
                                                                                                      • Opcode Fuzzy Hash: 27b4405a45472ec34da3214d20323b8321ba17f20234e5028ce6bd99bbb7d390
                                                                                                      • Instruction Fuzzy Hash: 54F02431B596954FE3595E3C44A15B877A0EFA223235A02BDC547C76A2EE5818034701
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A80E20 Relevance: .0, Instructions: 38COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: b613d3168de36e4f6c06a308dcee4d97be000af5be89238bd30f6d96e70d65b4
                                                                                                      • Instruction ID: 7e12684b642a5dfd75983e744c62f9c2f503b82a894df53b80c9f22dd2f5d489
                                                                                                      • Opcode Fuzzy Hash: b613d3168de36e4f6c06a308dcee4d97be000af5be89238bd30f6d96e70d65b4
                                                                                                      • Instruction Fuzzy Hash: 38E0D8B260C64D1D73586A689C0B4B777D8DB922B3B10043FF08AC1611EDD7B40301E1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A80B65 Relevance: .0, Instructions: 35COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: ae6eb69a1b28b1da94c4884b5aec389526121f273bfc32ce1cc30e15abd292b9
                                                                                                      • Instruction ID: 0a10d640606c24a162b8b7be9359518fe62607b83f55e4b1401e9d98e77f4cc8
                                                                                                      • Opcode Fuzzy Hash: ae6eb69a1b28b1da94c4884b5aec389526121f273bfc32ce1cc30e15abd292b9
                                                                                                      • Instruction Fuzzy Hash: 29F05406E0DA990EF78AEA2848A41F91BB2EF5A291B8410BE900ED76A3EC586C454310
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A81CC6 Relevance: .0, Instructions: 22COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 1acac3a618d627430356a01edc333c905620281df51bc3e0c9547a47641c3114
                                                                                                      • Instruction ID: fe15f6ec9c598fa50e725194267ab9f3a6cb3237b94e22cc22d80ec9cb780195
                                                                                                      • Opcode Fuzzy Hash: 1acac3a618d627430356a01edc333c905620281df51bc3e0c9547a47641c3114
                                                                                                      • Instruction Fuzzy Hash: 31E0923090E3D04FD7468BB888AE4187FE1EF5720170549EEC192CF4E2E62C2819C341
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A814DF Relevance: .0, Instructions: 18COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 082f9525bc9f18095d492c7703769bb8c8b1071f4e8b6f1dc927e9f99819a880
                                                                                                      • Instruction ID: fc3eb3bfa2bb49191f950ed0580758ac0bfa5ac52218313bc348fb4e60525eba
                                                                                                      • Opcode Fuzzy Hash: 082f9525bc9f18095d492c7703769bb8c8b1071f4e8b6f1dc927e9f99819a880
                                                                                                      • Instruction Fuzzy Hash: 65D0A923F24C291BD3A9960C48A17B82392F7D8221F15027A940AC3782EC082D0A4282
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A81729 Relevance: .0, Instructions: 18COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 12e85df2fc038a3bccb1d541dc88ecd78552af645f631c003225786c4f9c0440
                                                                                                      • Instruction ID: 2c2839c4c7138a52bf40410e44234c92b19446f8a7f19c64b67d24fe0c912911
                                                                                                      • Opcode Fuzzy Hash: 12e85df2fc038a3bccb1d541dc88ecd78552af645f631c003225786c4f9c0440
                                                                                                      • Instruction Fuzzy Hash: CED0A728B1484E8FD384DE2C88DC179B3E2FB983413A10478C01AD3162EE2498468B10
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A8514E Relevance: .0, Instructions: 12COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c4eabbface11a4f5bd6977511a04fd8e872f53f13acda099df0bba60dffef98c
                                                                                                      • Instruction ID: 05c28491b873f1c9dd0dd6182ef2bcf0e44d92ba7c355906372c7e27985978e4
                                                                                                      • Opcode Fuzzy Hash: c4eabbface11a4f5bd6977511a04fd8e872f53f13acda099df0bba60dffef98c
                                                                                                      • Instruction Fuzzy Hash: 59B09B01F5554D06974451592D511585142C7C8173B55557AD40DC1397DC5E59550150
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00007FFDC2A840D0 Relevance: .0, Instructions: 12COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000003.00000002.406516806.00007FFDC2A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFDC2A80000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_3_2_7ffdc2a80000_dhcpmon.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 2e493ed019774dbd8327b839c0a9581dfc120d42c323f65923946e04d6be20f2
                                                                                                      • Instruction ID: 1251027c62239f4656c67bb0e2a5e74d6994205016a2b0d3829fbfdcaa311c5a
                                                                                                      • Opcode Fuzzy Hash: 2e493ed019774dbd8327b839c0a9581dfc120d42c323f65923946e04d6be20f2
                                                                                                      • Instruction Fuzzy Hash: EBC08C08E2A00B04AE1C3936287107A12902F04103FC00535E48ACA382ECCD606592A1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%